Creating secrets
To create a secret:
-
In the management console
, select the folder where you want to create a secret. -
In the list of services, select Lockbox.
-
Click Create secret.
-
In the Name field, enter a name for the secret.
-
(Optional) To separate metrics within Yandex Monitoring, add a label.
-
(Optional) Enable Block secret deletion. You cannot delete a secret with this option enabled. This does not protect the contents of the secret against modification.
-
Select Secret type:
-
Generated: To generate the value automatically:
- In the Key field, enter a non-secret ID.
- (Optional) Expand the Automatic generation options section and set the confidential value parameters (e.g., password).
-
Custom: To set the value manually:
-
In the Key field, enter a non-secret ID.
-
In the Value field, enter the confidential data you want to store.
To add more data, click Add key/value and repeat the steps.
-
-
-
(Optional) Under KMS key, specify an existing key or create a new one.
The specified Yandex Key Management Service key is used to encrypt your secret. If you do not specify a key, the secret will be encrypted with a special system key.
Tip
By using your own Key Management Service key, you can take full advantage of the benefits Key Management Service has to offer.
-
Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View a description of the CLI create secret command:
yc lockbox secret create --help
-
Run this command:
yc lockbox secret create \ --name <secret_name> \ --description <secret_description> \ --payload "<array_with_secret_contents>" \ --cloud-id <cloud_ID> \ --folder-id <folder_ID> \ --deletion-protection
Where:
-
--name
: Secret name. This is a required parameter. -
--description
: Secret description. This is an optional parameter. -
--payload
: Contents of the secret as a YAML or JSON array.You can provide one or more
key
keys at a time. If the secret is going to contain several values, list them separated by commas. If the keys are going to contain binary values, provide these inbase64
encoding.For instance, to save the
username
key with themyusername
text value and theavatar
key with a binary value loaded from theavatar.jpg
file, you can specify:[{'key': 'username', 'text_value': 'myusername'},{'key': 'avatar', 'binary_value': $(base64 -w 0 ./avatar.jpg)}]
-
--cloud-id
: ID of the cloud where you want to create your secret. -
--folder-id
: ID of the folder where you want to create a secret. -
--deletion-protection
: Secret deletion protection. You cannot delete a secret with this option enabled. This does not protect the secret's contents. This is an optional parameter.
Sample command for creating a secret:
yc lockbox secret create \ --name sample-secret \ --description sample_secret \ --payload "[{'key': 'username', 'text_value': 'myusername'},{'key': 'avatar', 'binary_value': $(base64 -w 0 ./avatar.jpg)}]" \ --cloud-id b1gwa87mbaom******** \ --folder-id b1qt6g8ht345******** \ --deletion-protection
In this example, a secret is created with two keys: one with a text value and one with a binary value.
Result:
id: e6q6nbjfu9m2******** folder_id: b1qt6g8ht345******** created_at: "2023-10-09T16:29:11.402Z" ... - username - avatar deletion_protection: true
-
A secret only contains its own metadata, including its name, description, and unique ID. To start using the secret, you need to create a secret version.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } required_version = ">= 0.13" } provider "yandex" { zone = "ru-central1-a" } resource "yandex_lockbox_secret" "my_secret" { name = "<secret_name>" description = "<secret_description>" folder_id = "<folder_ID>" kms_key_id = "<encryption_key_ID>" deletion_protection = <deletion_protection_flag> labels = { <label_1_key> = "<label_1_value>", <label_2_key> = "<label_2_value>" } }
Where:
name
: Secret name. This is a required parameter.description
: Secret description. This is an optional parameter.folder_id
: ID of the folder where you want to create a secret. This is an optional parameter.kms_key_id
: ID of the Key Management Service encryption key. The specified Key Management Service key is used to encrypt your secret. If you do not specify a Key Management Service key, a special system key will be used to encrypt the secret. This is an optional parameter.deletion_protection
: Deletion protection flag. To enable protection, set totrue
. To disable protection, set tofalse
. The default value isfalse
. This is an optional parameter.labels
: Resource label in<key>:"<value>"
format. This is an optional parameter.
For more information about the
yandex_lockbox_secret
resource parameters in Terraform, see the relevant provider documentation . -
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
This will create a secret in the specified folder. You can check the new secret and its settings using the management console
yc lockbox secret get <secret_name>
To create a secret, use the create REST API method for the Secret resource or the SecretService/Create gRPC API call.
Tip
If you specified your KMS key when creating a secret, assign the kms.keys.encrypterDecrypter and lockbox.payloadViewer roles to your secret. They are required to access the key, as well as encrypt and decrypt it.