Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Deactivating and activating a secret

Written by
Updated at May 5, 2026

A secret can be either active or deactivated. When a secret is active, it enables access to both its metadata and content (key-value pairs). When deactivated, it allows access only to its metadata, with the secret content being inaccessible.

Deactivating a secret

  1. In the management console, select the folder the secret belongs to.
  2. Go to Lockbox.
  3. Next to the secret you need, click and select Deactivate.
  4. Confirm its deactivation.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for getting secret deactivation info:

    yc lockbox secret deactivate --help

  2. Deactivate a secret by specifying its ID or name:

    yc lockbox secret deactivate <secret_name>

    Result:

    id: e6qkkp3k29jf********
folder_id: b1go3el0d8fs********
created_at: "2023-11-08T13:14:34.676Z"
name: first-secret
status: INACTIVE
current_version:
  id: e6qor8pe3ju7********
  secret_id: e6qkkp3k29jf********
  created_at: "2023-11-08T13:14:34.676Z"
  status: ACTIVE
  payload_entry_keys:
    - secret-key

To deactivate a secret, use the deactivate REST API method for the Secret resource or the SecretService/Deactivate gRPC API call.

Activating a secret

  1. In the management console, select the folder the secret belongs to.
  2. Go to Lockbox.
  3. Next to the secret you need, click and select Activate secret.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for getting secret activation info:

    yc lockbox secret activate --help

  2. Activate a secret by specifying its ID or name:

    yc lockbox secret activate <secret_name>

    Result:

    id: e6qkkp3k29jf********
folder_id: b1go3el0d8fs********
created_at: "2023-11-08T13:14:34.676Z"
name: first-secret
status: ACTIVE
current_version:
  id: e6qor8pe3ju7********
  secret_id: e6qkkp3k29jf********
  created_at: "2023-11-08T13:14:34.676Z"
  status: ACTIVE
  payload_entry_keys:
    - secret-key

To activate a secret, use the activate REST API method for the Secret resource or the SecretService/Activate gRPC API call.

See also

Previous
Deleting a secret
Next
Secret version management