Configuring access to a secret

Written by

Yandex Cloud

Updated at May 5, 2026

Management console

CLI

Terraform

API

In the management console, select the folder the secret belongs to.
Go to Lockbox.
Click the name of the secret you need.
On the left-hand panel, select Access bindings and click Assign roles.
In the window that opens, click Select subject.
Select the group, user, or service account to grant access to the secret.
Click Add role and select the required roles.
Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

Get the secret ID (the ID column in the command output):

yc lockbox secret list

Result:

+----------------------+-------------+------------+---------------------+----------------------+--------+
|          ID          |    NAME     | KMS KEY ID |     CREATED AT      |  CURRENT VERSION ID  | STATUS |
+----------------------+-------------+------------+---------------------+----------------------+--------+
| e6qetpqfe8vvag9h7jkr | test-secret |            | 2023-12-06 15:12:13 | e6qdnt9t2qsdggusve4g | ACTIVE |
+----------------------+-------------+------------+---------------------+----------------------+--------+

To assign a role for a secret:

To a user:

yc lockbox secret add-access-binding \
  --id <secret_ID> \
  --user-account-id <user_ID> \
  --role <role>

Where:

--id: Secret ID.
--user-account-id: User ID.
--role: Role to assign.

To a service account:

yc lockbox secret add-access-binding \
  --id <secret_ID> \
  --service-account-id <service_account_ID> \
  --role <role>

Where:

--id: Secret ID.
--service-account-id: Service account ID.
--role: Role to assign.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

Describe access permissions for the secret in the Terraform configuration file:
```
resource "yandex_lockbox_secret_iam_member" "secret-viewer" {
  secret_id = "<secret_ID>"
  role      = "<role>"
  member    = "<subject_type>:<subject_ID>"
}
```
Where:
- secret_id: Secret ID.
- role: Role to assign.
- member: Type and ID of the subject the role is assigned to. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>.
For more information about yandex_lockbox_secret_iam_member properties in Terraform, see this provider guide.
Create the resources
1. In the terminal, navigate to the configuration file directory.
2. Make sure the configuration is correct using this command:
```
terraform validate
```
  If the configuration is valid, you will get this message:
```
Success! The configuration is valid.
```
3. Run this command:
```
terraform plan
```
  You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
4. Apply the configuration changes:
```
terraform apply
```
5. Type yes and press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources and their settings either in the management console or using this CLI command:
```
yc lockbox secret list-access-binding <secret_ID>
```

To configure access to a secret, use the setAccessBindings REST API method for the Secret resource or the SecretService/SetAccessBindings gRPC API call.

Warning

If you assign a group, user, or service account a role for a folder or cloud where the secret is stored, all permissions of this role will also apply to the secret.

For more information, see How access management works.

Configuring access to a secret

See also

Was the article helpful?

Configuring access to a secret

See alsoSee also

Was the article helpful?

See also