Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Transmitting a secret to Yandex Cloud Functions

Written by
Updated at May 14, 2026

Note

This feature is in the Preview stage.

For a function to get access to a secret, edit its parameters to specify a service account with the following roles assigned:

A Yandex Lockbox secret provided to a function is cached in Yandex Cloud Functions. After the service account loses access to the secret, the function may retain it for up to five minutes.

Providing secrets creates a new function version. You cannot provide secrets to an existing version.

  1. In the management console, select the folder containing the function.

  2. Go to Cloud Functions.

  3. Select the function to provide a Yandex Lockbox secret to.

  4. Navigate to the Editor tab.

  5. Under Parameters, specify:

    • In the Service account field, the service account with the lockbox.payloadViewer role.
    • In the Lockbox secrets field:
      • Name of the environment variable that will store the secret.
      • Secret ID.
      • Secret version ID.
      • Key of a key-value pair in the secret version.

  6. Click Add.

    You can provide multiple secrets to a function. To do this, click Add.

  7. Click Save changes. This will create a new version of the function with the specified secrets.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

To provide a Yandex Lockbox secret to a function, run this command:

Warning

If secrets were already provided to the previous function version, they will be overwritten.

yc serverless function version create \
  --function-name=test \
  --runtime nodejs16 \
  --entrypoint index.main \
  --memory 128m \
  --execution-timeout 5s \
  --source-version-id vfdsdeqa1s2d3******** \
  --service-account-id bfbtfcp0o9i8******** \
  --secret environment-variable=KEY,id=fc3q4aq3w5e6********,version-id=fc3gvvz4x5c6********,key=secret-key

Where:

  • --function-name: Function name.

  • --runtime: Runtime.

  • --entrypoint: Entry point in <function_file_name>.<handler_name> format.

  • --memory: Amount of RAM.

  • --execution-timeout: Maximum function execution time before timeout.

  • --source-version-id: ID of the function version from which you want to copy the code.

  • --service-account-id: ID of the service account with the lockbox.payloadViewer role.

  • --secret:

    • environment-variable: Name of the environment variable that will store the secret.
    • id: Secret ID.
    • version-id: Secret version ID.
    • key: Key of a key-value pairs in the secret version.

    You can provide multiple secrets to a function. To do this, specify --secret as many times as needed.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Open the Terraform configuration file and add the secrets section to the function description:

    resource "yandex_function" "test-function" {
  name               = "test-function"
  description        = "Test function"
  user_hash          = "first-function"
  runtime            = "python37"
  entrypoint         = "main"
  memory             = "128"
  execution_timeout  = "10"
  service_account_id = "<service_account_ID>"
  tags               = ["my_tag"]
  secrets {
    id                   = "<secret_ID>"
    version_id           = "<secret_version_ID>"
    key                  = "<secret_1_key>"
    environment_variable = "<environment_variable_1_name>"
  }
  secrets {
    id                   = "<secret_ID>"
    version_id           = "<secret_version_ID>"
    key                  = "<secret_2_key>"
    environment_variable = "<environment_variable_2_name>"
  }

   content {
     zip_filename = "<path_to_ZIP_archive>"
   }
}

    Where:

    • secrets: Section with secret configuration. It contains the following settings:
      • id: Secret ID. This is a required setting.
      • version_id: Secret version ID. This is a required setting.
      • key: Key of a secret version’s key-value pair that will be stored in the environment variable. This is a required setting.
      • environment_variable: Name of the environment variable that will store the secret. This is a required setting.

    For more information about yandex_function resource properties, see this provider guide.

  2. Apply the changes:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

You can check the function update and its settings in the management console.

To provide a Yandex Lockbox secret to a function, use the createVersion REST API method for the Function resource or the FunctionsService/CreateVersion gRPC API call.

Previous
Transmitting a secret to Yandex Serverless Containers
Next
Viewing operations with a secret