Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring access to a secret

Written by
Updated at November 11, 2025
  1. In the management console, select the folder the secret belongs to.
  2. In the list of services, select Lockbox.
  3. Click the name of the secret you need.
  4. On the left-hand panel, select Access bindings and click Assign roles.
  5. In the window that opens, click Select subject.
  6. Select the group, user, or service account to grant access to the secret.
  7. Click Add role and select the required roles.
  8. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. Get the secret ID (the ID column in the command output):

    yc lockbox secret list

    Result:

    +----------------------+-------------+------------+---------------------+----------------------+--------+
|          ID          |    NAME     | KMS KEY ID |     CREATED AT      |  CURRENT VERSION ID  | STATUS |
+----------------------+-------------+------------+---------------------+----------------------+--------+
| e6qetpqfe8vvag9h7jkr | test-secret |            | 2023-12-06 15:12:13 | e6qdnt9t2qsdggusve4g | ACTIVE |
+----------------------+-------------+------------+---------------------+----------------------+--------+

  2. To assign a role for a secret:

    • To a user:

      yc lockbox secret add-access-binding \
  --id <secret_ID> \
  --user-account-id <user_ID> \
  --role <role>

      Where:

      • --id: Secret ID.
      • --user-account-id: User ID.
      • --role: Role.

    • To a service account:

      yc lockbox secret add-access-binding \
  --id <secret_ID> \
  --service-account-id <service_account_ID> \
  --role <role>

      Where:

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Describe access permissions for the secret in the Terraform configuration file:

    resource "yandex_lockbox_secret_iam_member" "secret-viewer" {
  secret_id = "<secret_ID>"
  role      = "<role>"

  members = [
    "serviceAccount:<service_account_1_ID>",
    "serviceAccount:<service_account_2_ID>"
  ]
}

    Where:

    • secret_id: Secret ID.
    • role: Role.
    • members: Types and IDs of entities assigned the role. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>.

    For more information about the yandex_lockbox_secret_iam_member settings, see this Terraform guide.

  2. Create the resources

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will create all the required resources. You can check the new resources and their settings using the management console or this CLI command:

    yc lockbox secret list-access-binding <secret_ID>

To configure access to a secret, use the setAccessBindings REST API method for the Secret resource or the SecretService/SetAccessBindings gRPC API call.

Warning

If you assign a group, user, or service account a role for a folder or cloud where the secret is stored, all permissions of this role will also apply to the secret.

For more information, see How access management works.

See also

Previous
Updating a secret
Next
Getting information about a secret