Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Transmitting a secret to Yandex Serverless Containers

Written by
Updated at November 14, 2024

Note

This feature is in the Preview stage.

To provide the container with access to the secret, specify a service account with the following roles in the container parameters:

A Lockbox secret transmitted to a container is cached in Serverless Containers. As soon as the service account can no longer access the secret, the container may store it for up to 5 minutes.

A new revision of a container is created when Yandex Lockbox secrets are transmitted. You cannot transmit secrets to an existing revision.

  1. In the management console, go to the folder with your container.

  2. Open Serverless Containers.

  3. Select a container you want to transmit a secret to.

  4. Go to the Editor tab.

  5. In the window that opens, under Image settings, in the Lockbox secrets field, specify:

    • Name of the environment variable to store the secret.
    • Secret ID.
    • Secret version ID.
    • Key of one of the key-value pairs in the secret version.

  6. Click Add.

    You can transmit multiple secrets to a container. To do this, click Add.

  7. Click Create revision. A new container revision with the specified secrets will be created.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To transmit Yandex Lockbox secrets to a container, run this command:

Warning

If the secrets were already sent to the previous revision, they will be overwritten.

yc serverless container revision deploy \
   --container-name test \
   --image cr.yandex/<registry_ID>/repository:tag \
   --cores 1 \
   --memory 1GB \
   --service-account-id <service_account_ID> \
   --secret environment-variable=<environment_variable_name>,id=<secret_ID>,version-id=<secret_version_ID>,key=<secret_key>

Where:

  • --container-name: Container name.

  • --image: Docker image URL.

  • --cores: Number of cores available to the container.

  • --memory: Required memory. The default value is 128 MB.

  • --service-account-id: ID of the service account with the lockbox.payloadViewer role.

  • --secret:

    • environment-variable: Name of the environment variable that will store the secret.
    • id: Secret ID.
    • version-id: Secret version ID.
    • key: Key of one of the key-value pairs in the secret version.

    You can transmit multiple secrets to a container. To do this, specify the --secret parameter as many times as needed.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and add the secrets section to the function description:

    resource "yandex_serverless_container" "test-container" {
  name               = "<container_name>"
  memory             = <memory_size>
  service_account_id = "<service_account_ID>"
  secrets {
    id                   = "<secret_ID>"
    version_id           = "secret_version_ID>"
    key                  = "<secret_1_key>"
    environment_variable = "<environment_variable_1_name>"
  }
  secrets {
    id                   = "<secret_ID>"
    version_id           = "<secret_version_ID>"
    key                  = "<secret_2_key>"
    environment_variable = "<environment_variable_2_name>"
  }
  image {
    url = "<Docker_image_URL>"
  }
}

    Where:

    • secrets: Section with secret settings. It contains the following parameters:
      • id: Secret ID. This is a required parameter.
      • version_id: Secret version ID. This is a required parameter.
      • key: Key of one of the secret version's key-value pairs that will be stored in the environment variable. This is a required parameter.
      • environment_variable: Name of the environment variable that will store the secret. This is a required parameter.

    For more information about the yandex_serverless_container resource parameters, see the provider documentation.

  2. Apply the changes:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

You can check the function's update settings in the management console.

To transmit a Yandex Lockbox secret to a container, use the deployRevision REST API method for the Container resource or the ContainerService/DeployRevision gRPC API call.

Previous
Secret version management
Next
Transmitting a secret to Yandex Cloud Functions