Getting started with Yandex Lockbox
Create your first secret and get its contents.
A secret is a set of versions that store your data. A version contains sets of keys and values:
- A key is a non-secret name that identifies a value.
- The value is your secret data.
Versions can't be changed. Whenever you need to change the number of key-value pairs or their contents, you must create a new version.
Creating secrets
To create a secret:
-
In the management console
, select the folder where you want to create a secret. -
In the list of services, select Lockbox.
-
Click Create secret.
-
In the Name field, enter a name for the secret.
-
(Optional) To separate metrics within Yandex Monitoring, add a label.
-
(Optional) Enable Block secret deletion. You cannot delete a secret with this option enabled. This does not protect the contents of the secret against modification.
-
Select Secret type:
-
Generated: To generate the value automatically:
- In the Key field, enter a non-secret ID.
- (Optional) Expand the Automatic generation options section and set the confidential value parameters (e.g., password).
-
Custom: To set the value manually:
-
In the Key field, enter a non-secret ID.
-
In the Value field, enter the confidential data you want to store.
To add more data, click Add key/value and repeat the steps.
-
-
-
(Optional) Under KMS key, specify an existing key or create a new one.
The specified Yandex Key Management Service key is used to encrypt your secret. If you do not specify a key, the secret will be encrypted with a special system key.
Tip
By using your own Key Management Service key, you can take full advantage of the benefits Key Management Service has to offer.
-
Click Create.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View a description of the CLI create secret command:
yc lockbox secret create --help
-
Run this command:
yc lockbox secret create \ --name <secret_name> \ --description <secret_description> \ --payload "<array_with_secret_contents>" \ --cloud-id <cloud_ID> \ --folder-id <folder_ID> \ --deletion-protection
Where:
-
--name
: Secret name. This is a required parameter. -
--description
: Secret description. This is an optional parameter. -
--payload
: Contents of the secret as a YAML or JSON array.You can provide one or more
key
keys at a time. If the secret is going to contain several values, list them separated by commas. If the keys are going to contain binary values, provide these inbase64
encoding.For instance, to save the
username
key with themyusername
text value and theavatar
key with a binary value loaded from theavatar.jpg
file, you can specify:[{'key': 'username', 'text_value': 'myusername'},{'key': 'avatar', 'binary_value': $(base64 -w 0 ./avatar.jpg)}]
-
--cloud-id
: ID of the cloud where you want to create your secret. -
--folder-id
: ID of the folder where you want to create a secret. -
--deletion-protection
: Secret deletion protection. You cannot delete a secret with this option enabled. This does not protect the secret's contents. This is an optional parameter.
Sample command for creating a secret:
yc lockbox secret create \ --name sample-secret \ --description sample_secret \ --payload "[{'key': 'username', 'text_value': 'myusername'},{'key': 'avatar', 'binary_value': $(base64 -w 0 ./avatar.jpg)}]" \ --cloud-id b1gwa87mbaom******** \ --folder-id b1qt6g8ht345******** \ --deletion-protection
In this example, a secret is created with two keys: one with a text value and one with a binary value.
Result:
id: e6q6nbjfu9m2******** folder_id: b1qt6g8ht345******** created_at: "2023-10-09T16:29:11.402Z" ... - username - avatar deletion_protection: true
-
A secret only contains its own metadata, including its name, description, and unique ID. To start using the secret, you need to create a secret version.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
terraform { required_providers { yandex = { source = "yandex-cloud/yandex" } } required_version = ">= 0.13" } provider "yandex" { zone = "ru-central1-a" } resource "yandex_lockbox_secret" "my_secret" { name = "<secret_name>" description = "<secret_description>" folder_id = "<folder_ID>" kms_key_id = "<encryption_key_ID>" deletion_protection = <deletion_protection_flag> labels = { <label_1_key> = "<label_1_value>", <label_2_key> = "<label_2_value>" } }
Where:
name
: Secret name. This is a required parameter.description
: Secret description. This is an optional parameter.folder_id
: ID of the folder where you want to create a secret. This is an optional parameter.kms_key_id
: ID of the Key Management Service encryption key. The specified Key Management Service key is used to encrypt your secret. If you do not specify a Key Management Service key, a special system key will be used to encrypt the secret. This is an optional parameter.deletion_protection
: Deletion protection flag. To enable protection, set totrue
. To disable protection, set tofalse
. The default value isfalse
. This is an optional parameter.labels
: Resource label in<key>:"<value>"
format. This is an optional parameter.
For more information about the
yandex_lockbox_secret
resource parameters in Terraform, see the relevant provider documentation . -
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
-
This will create a secret in the specified folder. You can check the new secret and its settings using the management console
yc lockbox secret get <secret_name>
To create a secret, use the create REST API method for the Secret resource or the SecretService/Create gRPC API call.
Getting the contents of a secret
Roles required to get a secret
If you specified your KMS key when creating a secret, assign the kms.keys.encrypterDecrypter and lockbox.payloadViewer roles to your secret. They are required to access the key, as well as encrypt and decrypt it.
Get the contents of the secret
- In the management console
, select the folder the secret belongs to. - In the list of services, select Lockbox.
- In the left-hand menu, select Secrets.
- Click the name of the secret you need.
- Under Versions, click the secret version you need.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the CLI command to get the contents of a secret:
yc lockbox payload get --help
-
Get the secret ID (the
ID
column in the command output):yc lockbox secret list
Result:
+----------------------+-------------+------------+---------------------+----------------------+--------+ | ID | NAME | KMS KEY ID | CREATED AT | CURRENT VERSION ID | STATUS | +----------------------+-------------+------------+---------------------+----------------------+--------+ | e6qetpqfe8vvag9h7jkr | test-secret | | 2023-12-06 15:12:13 | e6qdnt9t2qsdggusve4g | ACTIVE | +----------------------+-------------+------------+---------------------+----------------------+--------+
-
Run this command:
yc lockbox payload get \ --id <secret_ID> \ --key <secret_key> \ --version-id <secret_version_ID>
Where:
--id
: Secret ID. This is a required parameter.--key
: Secret contents key required to get the single value. This is an optional parameter.--version-id
: Secret version. This is an optional parameter. Defaults to the current secret version.
An example of a command used to get the contents of a secret:
yc lockbox payload get \ --id e6qetpqfe8vv******** \ --version-id e6qqr7k79ecm********
In this example, you get the contents of the
e6qqr7k79ecm********
secret version.Result:
version_id: e6qqr7k79ecm******** entries: - key: first_key text_value: value_1 - key: second_key text_value: value_2
If a file is used as the confidential value, the returned secret content will be Base64 encoded
. To decode the file, use the Linux base64 utility:base64 --decode <path_to_file> > output.txt
If you make a request without specifying a version, the response will return the contents of the current (latest) version.
You can use this logic in scripts, services, and applications where you need to use the contents of your secret.
To get the contents of the secret:
-
Get an IAM token required for authentication and save it to the variable:
export IAM_TOKEN=$(yc iam create-token)
You can also get an IAM token for your service account from inside the VM the token is linked to. To do this, send a request to the metadata service. An example with the jq
utility:export IAM_TOKEN=$(curl --header Metadata-Flavor:Google http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token | jq -r .access_token)
-
Run this request:
curl \ --request GET \ --header "Authorization: Bearer ${IAM_TOKEN}" \ https://payload.lockbox.api.cloud.yandex.net/lockbox/v1/secrets/<secret_ID>/payload
If a file is used as the confidential value, the returned secret content will be Base64 encoded
You can manage secrets and their contents not only through the management console