Creating a service account
Create a service account to manage resources under a different account.
You must have the iam.serviceAccounts.admin role or higher for the folder to create a service account.
Note
A service account is created inside a folder. Once a service account has been created, you cannot change the folder.
You can assign roles to a service account for any resources in any cloud if these resources belong to the same organization as the service account. You can also assign roles to a service account for the organization.
Create a service account
-
Log in to the management console.
-
On the left side of the screen, click the line with the name of the folder where you want to create a service account.
-
Go to Identity and Access Management.
-
Click Create service account.
-
Enter a name for the service account.
Follow these naming requirements:
- It must be from 2 to 63 characters long.
- It can only contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
Make sure the service account name is unique within your cloud.
-
Click Create.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
Check the description of the command for creating a service account:
yc iam service-account create --help -
Create a service account named
my-robot:yc iam service-account create --name my-robotFollow these naming requirements:
- It must be from 2 to 63 characters long.
- It can only contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the resources you want to create:
resource "yandex_iam_service_account" "sa" { name = "<service_account_name>" description = "<service_account_description>" folder_id = "<folder_ID>" }name: Service account name. This is a required parameter.description: Service account description. This is an optional parameter.folder_id: Folder ID. This is an optional parameter. It defaults to the value specified in the provider settings.
For more information about
yandex_iam_service_accountproperties, see this Terraform article. -
Make sure the configuration files are correct.
-
In the command line, navigate to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration description is correct, the terminal will display information about the service account. If the configuration contains any errors, Terraform will show them.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm creating the service account by typing
yesin the terminal and pressing Enter.This will create the service account. You can check it using the management console or this CLI command:
yc iam service-account list
-
To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
Examples
Add a description when creating a service account
Create a service account with the following name and description:
yc iam service-account create --name my-robot \
--description "this is my favorite service account"
resource "yandex_iam_service_account" "sa" {
name = "my-robot"
description = "this is my favorite service account"
}
curl \
--request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{
"folderId": "b1gvmob95yys********",
"name": "my-robot",
"description": "this is my favorite service account"
}' \
https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts