Getting started with service accounts

Written by

Improved by

Updated at May 13, 2025

Getting started
Create a service account
Configure the CLI to work under a service account
Delete the service account
What's next

In IAM, you can create service accounts. These are auxiliary accounts that your programs can use to perform operations in Yandex Cloud. Service accounts are free of charge and enable flexible access management for your programs. For more information, see Service accounts.

This guide is intended for cloud owners and users with the administrator role for a cloud or folder. Users with the editor role can also create service accounts, but they cannot assign roles, so they cannot allow a service account to perform operations in Yandex Cloud.

Checking for required roles is described in the Getting started section.

You will learn how to:

Getting started

Log in to the management console. If not signed up yet, navigate to the management console and follow the on-screen instructions.
Make sure that you have the required roles:
1. In the management console, select the appropriate cloud from the list on the left. Example:
2. Navigate to the Access bindings tab.
3. Specify your account in the search bar.
4. Check that your account has the following roles:
  - Organization owner (organization-manager.organizations.owner) or administrator (organization-manager.admin)
  - Cloud owner (resource-manager.clouds.owner) or administrator (admin)
On the Yandex Cloud Billing page, make sure you have a linked billing account and its status is ACTIVE or TRIAL_ACTIVE. If you do not have a billing account yet, create one.

Create a service account

To create a service account and assign roles to it:

Go to the management console.
On the left side of the screen, click the line with the name of the folder where you want to create a service account.
In the list of services, select Identity and Access Management.
Click Create service account.
Enter a name for the service account.

The name format requirements are as follows:
- It must be from 2 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
Make sure the service account name is unique within your cloud.
To assign the service account a role for the current folder, click Add role and select a role, e.g., editor.

To assign a role for another resource, use the CLI or API following this Assigning roles to a service account guide.
Click Create.

Note

Other users can also use the service account you created. To allow them to do this, assign them the required roles for this account.

Configure the CLI to work under a service account

You can perform operations under a service account via the Yandex Cloud CLI, API, and other tools that support service account based authentication.

Configure the CLI to work on behalf of a service account:

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

Get a list of available service accounts in the default folder:

yc iam service-accounts list

Result:

+----------------------+----------+--------+
|          ID          |   NAME   | LABELS |
+----------------------+----------+--------+
| ajeb9l33h6mu******** | my-robot |        |
+----------------------+----------+--------+

Create an authorized key for your service account and save it to the file:
```
yc iam key create --output <key_file_path> --service-account-name <service_account_name>
```
Where:
- --output: Path to the file for saving the authorized key in JSON format. This is a required parameter.
- --service-account-name: Service account name.
For example:
```
yc iam key create --output key.json --service-account-name my-service-account
```
Result:
```
id: aje4lue48687********
service_account_id: ajeb9l33h6m********
created_at: "2024-08-01T11:58:52.313177213Z"
key_algorithm: RSA_2048
```
For more information about the yc iam key create command, see the CLI reference.
Create a profile to execute operations on behalf of the service account:
```
yc config profile create <profile_name>
```
Specify the authorized key of the service account in the profile configuration:
```
yc config set service-account-key <key_file_path>
```

Now you can perform operations on behalf of a service account, such as viewing the list of folders available to this account:

yc resource-manager folder list

Delete the service account

If you no longer need the service account, delete it:

In the management console, navigate to the folder the service account belongs to.
In the list of services, select Identity and Access Management.
In the left-hand panel, select Service accounts.
In the row with the service account you need, click and select Delete.
In the window that opens, click Delete.

What's next

The step-by-step guides will help you perform specific tasks in Identity and Access Management.
Read more about service accounts in the concepts section.
See the best practices for using service accounts securely.