Uploading objects into an Yandex Object Storage bucket using an ephemeral access key
Ephemeral access keys are temporary keys with a limited lifespan that provide a secure way to access Yandex Object Storage resources without having to store static keys. In this tutorial, you will learn how to create ephemeral keys with the help of a script and use them to create buckets and upload objects via the AWS CLI.
To upload objects to an Object Storage bucket using an ephemeral access key:
- Get your cloud ready.
- Create a service account.
- Prepare a script for creating an ephemeral access key.
- Configure the AWS CLI.
- Create a bucket.
- Upload an object to the bucket.
If you no longer need the resources you created, delete them.
Get your cloud ready
Sign up for Yandex Cloud and create a billing account:
- Navigate to the management console and log in to Yandex Cloud or create a new account.
- On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account, create one and link a cloud to it.
If you have an active billing account, you can create or select a folder for your infrastructure on the cloud page.
Learn more about clouds and folders here.
Required paid resources
The infrastructure support cost includes:
- Fee for storing data in a bucket (see Object Storage pricing).
- Fee for data operations (see Object Storage pricing).
Set up your environment
-
If you do not have the Yandex Cloud CLI yet, install and initialize it.
- Install and configure the AWS CLI.
- Download and install the jq utility.
Create a service account
Create a service account you will use to create a bucket and upload objects. Assign it the storage.editor role for the folder.
- In the management console, select Identity and Access Management.
- Click Create service account.
- In the Name field, specify
ephemeral-sa. - Click Add role and select
storage.editor. - Click Create.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.
-
Create a service account:
yc iam service-account create \ --name ephemeral-saResult:
id: ajeab0cnib1p******** folder_id: b0g12ga82bcv******** created_at: "2025-10-03T09:44:35.989446Z" name: ephemeral-sa -
Assign the
storage.editorrole for the folder to the service account:yc resource-manager folder add-access-binding <folder_name> \ --service-account-name ephemeral-sa \ --role storage.editorResult:
effective_deltas: - action: ADD access_binding: role_id: storage.editor subject: id: ajeab0cnib1p******** type: serviceAccount
- Create a service account named
ephemeral-sa. Do it by using the create REST API method for the ServiceAccount resource or the ServiceAccountService/Create gRPC API call. - Assign the
storage.editorrole for the current folder to the the service account. Do it by using the setAccessBindings REST API method for the Folder resource or the FolderService/SetAccessBindings gRPC API call.
To manage access to the bucket, your service account must have the storage.admin role.
To work with objects in an encrypted bucket, a user or service account must have the following roles for the encryption key in addition to the storage.configurer role:
kms.keys.encrypter: To read the key, encrypt and upload objects.kms.keys.decrypter: To read the key, decrypt and download objects.kms.keys.encrypterDecrypter: This role includes thekms.keys.encrypterandkms.keys.decrypterpermissions.
For more information, see Key Management Service service roles.
Prepare a script for creating an ephemeral access key
With a script, you can avoid updating the ephemeral key in the AWS CLI profile after the key expires. For instructions on how to manage ephemeral keys manually, see Managing ephemeral access keys.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.
-
Get the
ephemeral-saservice account ID:yc iam service-account get --name ephemeral-sa --format json | jq -r .id -
Create a file, e.g.,
issue-ephemeral-script.sh, and paste this code into it:#!/bin/sh yc iam access-key issue-ephemeral \ --subject-id <service_account_ID> \ --session-name ephemeral-sa-1 \ --jq '{Version: 1, AccessKeyId: .access_key_id, SecretAccessKey: .secret, SessionToken: .session_token, ExpiresAt: .expires_at}'Where:
--subject-id:ephemeral-saservice account ID.--session-name: Session name, 1 to 64 characters long. It is required for identifying a session if the service account is impersonated for multiple users.--jq: jq output formatting template. It allows you to convert the result into a structure required by the AWS CLI.
-
Make the file executable:
sudo chmod +x issue-ephemeral-script.sh
Configure the AWS CLI
Configure the AWS CLI to work with the ephemeral access key.
-
Add a new
ephemeral-profileprofile to~/.aws/credentials:[ephemeral-profile] region = ru-central1 endpoint_url = https://storage.yandexcloud.net credential_process = <file_path>In
credential_process, enter the absolute path to the file you created when preparing a script, e.g.,/home/yc-user/issue-ephemeral-script.sh. -
Check your profile configuration:
aws s3 ls --profile ephemeral-profileIf the configuration is correct, the command will run without errors.
Create a bucket
Create a bucket to store objects.
Run this command with the bucket name specified:
aws s3 mb s3://<bucket_name> \
--profile ephemeral-profile
Result:
make_bucket: my-bucket
For more information, see Creating a bucket.
Upload an object to the bucket
Upload an object to the new bucket.
-
Create a test file:
echo "Hello, Yandex Cloud!" > test-file.txt -
Run the command below to upload the file, stating the path to the local file, bucket name, and key for storing the object in the bucket:
aws s3 cp test-file.txt \ s3://<bucket_name>/test-file.txt \ --profile ephemeral-profileResult:
upload: ./test-file.txt to s3://my-bucket/test-file.txt -
Make sure the object has been uploaded successfully:
aws s3 ls s3://<bucket_name>/ \ --profile ephemeral-profileResult:
2025-10-03 09:45:12 23 test-file.txt
For more information, see Uploading an object.
How to delete the resources you created
To stop paying for the resources you created:
- Delete the objects from the bucket.
- Delete the bucket.