Creating secrets
To create a secret:
-
In the management console, select the folder where you want to create a secret.
-
In the list of services, select Lockbox.
-
Click Create secret.
-
In the Name field, enter a name for the secret.
-
(Optional) To separate metrics within Yandex Monitoring, add a label.
-
(Optional) Enable Block secret deletion. You cannot delete a secret with this option enabled. This does not protect the contents of the secret against modification.
-
Select Secret type:
-
Generated: To generate the value automatically:
- In the Key field, enter a non-secret ID.
- (Optional) Expand the Automatic generation options section and set the confidential value parameters (e.g., password).
-
Custom: To set the value manually:
-
In the Key field, enter a non-secret ID.
-
In the Value field, enter the confidential data you want to store.
To add more data, click Add key/value and repeat the steps.
-
-
-
(Optional) Under KMS key, specify an existing key or create a new one.
The specified Yandex Key Management Service key is used to encrypt your secret. If you do not specify a key, the secret will be encrypted with a special system key.
Tip
By using your own Key Management Service key, you can take full advantage of the benefits Key Management Service has to offer.
-
Click Create.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
View a description of the CLI create secret command:
yc lockbox secret create --help -
Run this command:
yc lockbox secret create \ --name <secret_name> \ --description <secret_description> \ --payload "<array_with_secret_contents>" \ --cloud-id <cloud_ID> \ --folder-id <folder_ID> \ --deletion-protectionWhere:
-
--name: Secret name. This is a required parameter. -
--description: Secret description. This is an optional parameter. -
--payload: Contents of the secret as a YAML or JSON array.You can provide one or more
keykeys at a time. If the secret is going to contain several values, list them separated by commas. If the keys are going to contain binary values, provide these inbase64encoding.For instance, to save the
usernamekey with themyusernametext value and theavatarkey with a binary value loaded from theavatar.jpgfile, you can specify:[{'key': 'username', 'text_value': 'myusername'},{'key': 'avatar', 'binary_value': $(base64 -w 0 ./avatar.jpg)}] -
--cloud-id: ID of the cloud where you want to create your secret. -
--folder-id: ID of the folder where you want to create a secret. -
--deletion-protection: Secret deletion protection. You cannot delete a secret with this option enabled. This does not protect the secret's contents. This is an optional parameter.
Sample command for creating a secret:
yc lockbox secret create \ --name sample-secret \ --description sample_secret \ --payload "[{'key': 'username', 'text_value': 'myusername'},{'key': 'avatar', 'binary_value': $(base64 -w 0 ./avatar.jpg)}]" \ --cloud-id b1gwa87mbaom******** \ --folder-id b1qt6g8ht345******** \ --deletion-protectionIn this example, a secret is created with two keys: one with a text value and one with a binary value.
Result:
id: e6q6nbjfu9m2******** folder_id: b1qt6g8ht345******** created_at: "2023-10-09T16:29:11.402Z" ... - username - avatar deletion_protection: true -
A secret only contains its own metadata, including its name, description, unique ID, etc. To start using a new secret, you need to create its version.
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
-
In the configuration file, define the parameters of the resources you want to create:
resource "yandex_lockbox_secret" "my_secret" { name = "<secret_name>" description = "<secret_description>" folder_id = "<folder_ID>" kms_key_id = "<encryption_key_ID>" deletion_protection = <deletion_protection_flag> labels = { <label_1_key> = "<label_1_value>", <label_2_key> = "<label_2_value>" } }Where:
name: Secret name. This is a required parameter.description: Secret description. This is an optional parameter.folder_id: ID of the folder where you want to create a secret. This is an optional parameter.kms_key_id: ID of the Key Management Service encryption key. The specified Key Management Service key is used to encrypt your secret. If you do not specify a Key Management Service key, a special system key will be used to encrypt the secret. This is an optional parameter.deletion_protection: Deletion protection flag. To enable protection, set totrue. To disable protection, set tofalse. The default value isfalse. This is an optional parameter.labels: Resource label in<key>:"<value>"format. This is an optional parameter.
For more information about the
yandex_lockbox_secretresource parameters in Terraform, see the relevant provider documentation. -
Create resources:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
-
Apply the changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
-
This will create a secret in the specified folder. You can check the new secret and its settings using the management console or this CLI command:
yc lockbox secret get <secret_name>
To create a secret, use the create REST API method for the Secret resource or the SecretService/Create gRPC API call.
Tip
If you specified your KMS key when creating a secret, assign the kms.keys.encrypterDecrypter and lockbox.payloadViewer roles to your secret. They are required to access the key, as well as encrypt and decrypt it.