Creating a service account
Create a service account to manage resources under a different account.
You must have the iam.serviceAccounts.admin role or higher for the folder to create a service account.
Note
A service account is created inside a folder. Once a service account has been created, you cannot change the folder.
You can assign roles to a service account for any resources in any cloud if these resources belong to the same organization as the service account. You can also assign roles to a service account for the organization.
Create a service account
-
Go to the management console.
-
On the left side of the screen, click the line with the name of the folder where you want to create a service account.
-
In the list of services, select Identity and Access Management.
-
Click Create service account.
-
Enter a name for the service account.
The name format requirements are as follows:
- It must be from 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
Make sure the service account name is unique within your cloud.
-
Click Create.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
-
Check the description of the command for creating a service account:
yc iam service-account create --help -
Create a service account named
my-robot:yc iam service-account create --name my-robotThe name should match the following format:
- It must be from 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
-
In the configuration file, define the parameters of the resources you want to create:
resource "yandex_iam_service_account" "sa" { name = "<service_account_name>" description = "<service_account_description>" folder_id = "<folder_ID>" }name: Service account name. This is a required parameter.description: Service account description. This is an optional parameter.folder_id: Folder ID. This is an optional parameter. By default, the value specified in the provider settings is used.
For more information about the
yandex_iam_service_accountresource parameters in Terraform, see the provider documentation. -
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is specified correctly, the terminal will display information about the service account. If there are errors in the configuration, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply -
Confirm creating the service account: type
yesin the terminal and press Enter.The service account will then be created. You can check the new service account using the management console or this CLI command:
yc iam service-account list
-
To create a service account, use the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call.
Examples
Add a description when creating a service account
Create a service account with the following name and description:
yc iam service-account create --name my-robot \
--description "this is my favorite service account"
resource "yandex_iam_service_account" "sa" {
name = "my-robot"
description = "this is my favorite service account"
}
curl \
--request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{
"folderId": "b1gvmob95yys********",
"name": "my-robot",
"description": "this is my favorite service account"
}' \
https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts