Creating a service account
Create a service account to manage resources under a different account.
Note
A service account is created inside a folder. Once a service account has been created, you cannot change the folder.
You can assign roles to a service account for any resources in any cloud if these resources belong to the same organization as the service account. You can also assign roles to a service account for the organization.
Create a service account
-
Go to the management console.
-
On the left side of the screen, click the line with the name of the folder where you want to create a service account.
-
In the list of services, select Identity and Access Management.
-
Click Create service account.
-
Enter a name for the service account.
The name format requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
Make sure the service account name is unique within your cloud.
-
Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
-
Check the description of the command for creating a service account:
yc iam service-account create --help -
Create a service account named
my-robot:yc iam service-account create --name my-robotThe name format requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
resource "yandex_iam_service_account" "sa" { name = "<service_account_name>" description = "<service_account_description>" folder_id = "<folder_ID>" }name: Service account name. This is a required parameter.description: Service account description. This is an optional parameter.folder_id: Folder ID. This is an optional parameter. By default, the value specified in the provider settings is used.
For more information about the
yandex_iam_service_accountresource parameters in Terraform, see the relevant provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is specified correctly, the terminal will display information about the service account. If there are errors in the configuration, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm creating the service account: type
yesin the terminal and press Enter.The service account will then be created. You can check the new service account using the management console or this CLI command:
yc iam service-account list
-
To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
Examples
Add a description when creating a service account
Create a service account with the following name and description:
yc iam service-account create --name my-robot \
--description "this is my favorite service account"
resource "yandex_iam_service_account" "sa" {
name = "my-robot"
description = "this is my favorite service account"
}
curl \
--request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{
"folderId": "b1gvmob95yys********",
"name": "my-robot",
"description": "this is my favorite service account"
}' \
https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts