Getting started with Yandex Lockbox
Create your first secret and get its contents.
A secret is a set of versions that store your data. A version contains sets of keys and values:
- A key is a non-secret name that identifies a value.
- The value is your secret data.
Versions can't be changed. Whenever you need to change the number of key-value pairs or their contents, you must create a new version.
Creating a secret
To create a secret:
-
In the management console, select the folder where you want to create a secret.
-
In the list of services, select Lockbox.
-
Click Create secret.
-
In the Name field, enter a name for the secret.
-
(Optional) To separate metrics within Yandex Monitoring, add a label.
-
(Optional) Enable Block secret deletion. You cannot delete a secret with this option enabled. This does not protect the contents of the secret against modification.
-
Select Secret type:
-
Generated: To generate the value automatically:
- In the Key field, enter a non-secret ID.
- (Optional) Expand the Automatic generation options section and set the confidential value parameters (e.g., password).
-
Custom: To set the value manually:
-
In the Key field, enter a non-secret ID.
-
In the Value field, enter the confidential data you want to store.
To add more data, click Add key/value and repeat the steps.
-
-
-
(Optional) Under KMS key, specify an existing key or create a new one.
The specified Yandex Key Management Service key is used to encrypt your secret. If you do not specify a key, the secret will be encrypted with a special system key.
Tip
By using your own Key Management Service key, you can take full advantage of the benefits Key Management Service has to offer.
-
Click Create.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
-
View a description of the CLI create secret command:
yc lockbox secret create --help -
Run this command:
yc lockbox secret create \ --name <secret_name> \ --description <secret_description> \ --payload "<array_with_secret_contents>" \ --cloud-id <cloud_ID> \ --folder-id <folder_ID> \ --deletion-protectionWhere:
-
--name: Secret name. This is a required parameter. -
--description: Secret description. This is an optional parameter. -
--payload: Contents of the secret as a YAML or JSON array.You can provide one or more
keykeys at a time. If the secret is going to contain several values, list them separated by commas. If the keys are going to contain binary values, provide these inbase64encoding.For instance, to save the
usernamekey with themyusernametext value and theavatarkey with a binary value loaded from theavatar.jpgfile, you can specify:[{'key': 'username', 'text_value': 'myusername'},{'key': 'avatar', 'binary_value': $(base64 -w 0 ./avatar.jpg)}] -
--cloud-id: ID of the cloud where you want to create your secret. -
--folder-id: ID of the folder where you want to create a secret. -
--deletion-protection: Secret deletion protection. You cannot delete a secret with this option enabled. This does not protect the secret's contents. This is an optional parameter.
Sample command for creating a secret:
yc lockbox secret create \ --name sample-secret \ --description sample_secret \ --payload "[{'key': 'username', 'text_value': 'myusername'},{'key': 'avatar', 'binary_value': $(base64 -w 0 ./avatar.jpg)}]" \ --cloud-id b1gwa87mbaom******** \ --folder-id b1qt6g8ht345******** \ --deletion-protectionIn this example, a secret is created with two keys: one with a text value and one with a binary value.
Result:
id: e6q6nbjfu9m2******** folder_id: b1qt6g8ht345******** created_at: "2023-10-09T16:29:11.402Z" ... - username - avatar deletion_protection: true -
A secret only contains its own metadata, including its name, description, unique ID, etc. To start using a new secret, you need to create its version.
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
-
In the configuration file, define the parameters of the resources you want to create:
resource "yandex_lockbox_secret" "my_secret" { name = "<secret_name>" description = "<secret_description>" folder_id = "<folder_ID>" kms_key_id = "<encryption_key_ID>" deletion_protection = <deletion_protection_flag> labels = { <label_1_key> = "<label_1_value>", <label_2_key> = "<label_2_value>" } }Where:
name: Secret name. This is a required parameter.description: Secret description. This is an optional parameter.folder_id: ID of the folder where you want to create a secret. This is an optional parameter.kms_key_id: ID of the Key Management Service encryption key. The specified Key Management Service key is used to encrypt your secret. If you do not specify a Key Management Service key, a special system key will be used to encrypt the secret. This is an optional parameter.deletion_protection: Deletion protection flag. To enable protection, set totrue. To disable protection, set tofalse. The default value isfalse. This is an optional parameter.labels: Resource label in<key>:"<value>"format. This is an optional parameter.
For more information about the
yandex_lockbox_secretresource parameters in Terraform, see the relevant provider documentation. -
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validateIf the configuration is correct, the following message is returned:
Success! The configuration is valid. -
Run the command:
terraform planThe terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply -
Confirm the changes: type
yesin the terminal and press Enter.
-
This will create a secret in the specified folder. You can check the new secret and its settings using the management console or this CLI command:
yc lockbox secret get <secret_name>
To create a secret, use the create REST API method for the Secret resource or the SecretService/Create gRPC API call.
Getting the contents of a secret
Roles required to get a secret
If you specified your KMS key when creating a secret, assign the kms.keys.encrypterDecrypter and lockbox.payloadViewer roles to your secret. They are required to access the key, as well as encrypt and decrypt it.
Get the contents of the secret
- In the management console, select the folder the secret belongs to.
- In the list of services, select Lockbox.
- In the left-hand menu, select Secrets.
- Click the name of the secret you need.
- Under Versions, click the secret version you need.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
-
See the description of the CLI command to get the contents of a secret:
yc lockbox payload get --help -
Get the secret ID (the
IDcolumn in the command output):yc lockbox secret listResult:
+----------------------+-------------+------------+---------------------+----------------------+--------+ | ID | NAME | KMS KEY ID | CREATED AT | CURRENT VERSION ID | STATUS | +----------------------+-------------+------------+---------------------+----------------------+--------+ | e6qetpqfe8vvag9h7jkr | test-secret | | 2023-12-06 15:12:13 | e6qdnt9t2qsdggusve4g | ACTIVE | +----------------------+-------------+------------+---------------------+----------------------+--------+ -
Run this command:
yc lockbox payload get \ --id <secret_ID> \ --key <secret_key> \ --version-id <secret_version_ID>Where:
--id: Secret ID. This is a required parameter.--key: Secret contents key required to get the single value. This is an optional parameter.--version-id: Secret version. This is an optional parameter. Defaults to the current secret version.
An example of a command used to get the contents of a secret:
yc lockbox payload get \ --id e6qetpqfe8vv******** \ --version-id e6qqr7k79ecm********In this example, you get the contents of the
e6qqr7k79ecm********secret version.Result:
version_id: e6qqr7k79ecm******** entries: - key: first_key text_value: value_1 - key: second_key text_value: value_2If a file is used as the confidential value, the returned secret content will be Base64 encoded. To decode the file, use the Linux base64 utility:
base64 --decode <path_to_file> > output.txt
If you make a request without specifying a version, the response will return the contents of the current (latest) version.
You can use this logic in scripts, services, and applications where you need to use the contents of your secret.
To get the contents of the secret:
-
Get an IAM token required for authentication and save it to the variable:
export IAM_TOKEN=$(yc iam create-token)You can also get an IAM token for your service account from inside the VM the token is linked to. To do this, send a request to the metadata service. An example with the jq utility:
export IAM_TOKEN=$(curl --header Metadata-Flavor:Google http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token | jq -r .access_token) -
Run this request:
curl \ --request GET \ --header "Authorization: Bearer ${IAM_TOKEN}" \ https://payload.lockbox.api.cloud.yandex.net/lockbox/v1/secrets/<secret_ID>/payload
If a file is used as the confidential value, the returned secret content will be Base64 encoded. To decode the file, use the base64 Python module or other suitable tools.
You can manage secrets and their contents not only through the management console, CLI, and API, but also using SDKs for popular programming languages. For more information, see Interfaces for using the service.