Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Accessing the Yandex Cloud API from a Managed Service for Kubernetes cluster using a workload identity federation in Identity and Access Management

Written by
Updated at October 29, 2025

Managed Service for Kubernetes supports integration with Identity and Access Management workload identity federations.

Workload identity federations allow you to configure a link between external systems and Yandex Cloud via the OpenID Connect (OIDC) protocol. This allows external systems to perform actions on Yandex Cloud resources on behalf of service accounts without using authorized keys. This is a more secure method that minimizes the risk of credential leakage and the possibility of unauthorized access.

When this option is enabled, Managed Service for Kubernetes automatically creates an OIDC provider for the specific cluster and provides the following parameters for integration with workload identity federations:

  • Issuer URL.
  • JWKS key set URL.

This tutorial exemplifies getting the value of a Yandex Lockbox secret from a Managed Service for Kubernetes using an Identity and Access Management service account.

Similarly, you can perform any action via the Yandex Cloud CLI, Terraform, an SDK, or the API.

Note

This tutorial demonstrates an example of integrating a Managed Service for Kubernetes cluster with a workload identity federation. For a tutorial on integrating a custom Kubernetes installation, see Getting the Yandex Lockbox secret value on the custom Kubernetes installation side.

To configure access to a Yandex Lockbox secret from a Managed Service for Kubernetes cluster via the Yandex Cloud API using a workload identity federation:

  1. Get your cloud ready.
  2. Configure the Managed Service for Kubernetes cluster.
  3. Create a workload identity federation.
  4. Set up an IAM service account.
  5. Link the IAM service account to the federation.
  6. Create a Yandex Lockbox secret.
  7. Test the integration.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure.

Learn more about clouds and folders here.

The infrastructure support costs include:

Set up a Managed Service for Kubernetes cluster

Warning

Integration with a workload identity federation only works for Managed Service for Kubernetes clusters 1.30 or higher in the rapid release channel.

To use the Yandex Cloud API, your cluster nodes must have internet access.

  1. If you do not have a Managed Service for Kubernetes cluster yet:

    1. Create a cluster.
    2. Create a node group.
    3. Set up security groups for the cluster and node group.

  2. To use the Yandex Cloud API, your cluster nodes must have internet access. Make sure your cluster nodes have public IP addresses assigned to them or the subnet they reside in has a configured NAT gateway. Also make sure the security group rules allow unrestricted outgoing traffic for your cluster nodes.

  3. Set up integration with a workload identity federation:

    1. In the management console, select the folder with your cluster.
    2. In the list of services, select Managed Service for Kubernetes.
    3. Click next to the cluster and select Edit.
    4. In the Identity and access management field, enable workload identity federations.
    5. Click Save.
    6. Under Identity and access management on the cluster overview page, copy and save the Issuer URL and JWKS URL values. You will need them later.

  4. Create a Kubernetes service account:

    1. Connect to the Managed Service for Kubernetes cluster using kubectl.

    2. Create a manifest named service-account.yaml for the Kubernetes service account with the following contents:

      apiVersion: v1
kind: ServiceAccount
metadata:
  name: wlif

    3. Apply the manifest:

      kubectl apply -f service-account.yaml

    4. To check the ServiceAccount resource you created, run this command:

      kubectl describe serviceaccount wlif

      Result:

      Name:                wlif
Namespace:           default
...

    5. Save the values of the Name and Namespace fields, as you will need them later.

Create a workload identity federation

  1. In the management console, select the folder you want to access via the Yandex Cloud API.
  2. In the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Workload identity federations.
  4. Click Create federation.
  5. In the Issuer value (iss) field, enter the Issuer URL value you previously saved, e.g., https://storage.yandexcloud.net/mk8s-oidc/v1/clusters/c49i54tk66ob********.
  6. In the Acceptable Audience values (AUD) field, enter the Issuer URL value as well.
  7. In the JWKS address field, enter the JWKS URL value you previously saved, e.g., https://storage.yandexcloud.net/mk8s-oidc/v1/clusters/c49i54tk66ob********/jwks.json.
  8. In the Name field, enter a name for the federation, e.g., test-iam-federation.
  9. Click Create.

Set up an IAM service account

  1. Create a IAM service account:

    1. In the management console, select the folder with the Yandex Lockbox secret.
    2. In the list of services, select Identity and Access Management.
    3. Click Create service account.
    4. Enter a name for the service account, e.g., sa-lockbox.
    5. Click Create.
    6. Select the service account you created and save its ID, as you will need it later.

  2. Assign the lockbox.payloadViewer role for the folder to the service account:

    1. In the management console, select the folder where you created the service account.
    2. Navigate to the Access bindings tab.
    3. Click Configure access.
    4. In the window that opens, select Service accounts.
    5. Select the service account you created earlier.
    6. Click Add role and select the lockbox.payloadViewer role.
    7. Click Save.

Link the IAM service account to the federation

  1. In the management console, select the folder the service account was created in.

  2. In the list of services, select Identity and Access Management.

  3. In the list of service accounts, select sa-lockbox.

  4. Navigate to the Workload identity federations tab.

  5. Click Link to federation.

  6. In the Workload identity federation field, select the federation you created earlier.

  7. In the Subject value (sub) field, specify the ID of the previously created Kubernetes service account in system:serviceaccount:<namespace>:<account_name> format, where:

    • namespace: Namespace field value for the Kubernetes service account, e.g., default.
    • account_name: Name field value for the Kubernetes service account, e.g., wlif.

  8. Click Link.

Create a Yandex Lockbox secret

  1. In the management console, select the folder where you want to create your secret.
  2. In the list of services, select Lockbox.
  3. Click Create secret.
  4. In the Name field, enter a name for the secret: MY_SECRET.
  5. Select Custom Secret type.
  6. In the Key field, enter a non-secret ID, e.g., test-secret.
  7. In the Value field, enter the confidential data you want to store, e.g., hello-world.
  8. Click Create.
  9. Save the ID of the secret. You will need it later.

Test the integration

  1. Connect to the Managed Service for Kubernetes cluster using kubectl.

  2. Create a test pod manifest named pod.yaml with the following contents:

    apiVersion: v1
kind: Pod
metadata:
  name: test-wlif
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /var/run/secrets/tokens
      name: sa-token
  serviceAccountName: wlif
  volumes:
  - name: sa-token
    projected:
      sources:
      - serviceAccountToken:
          path: sa-token
          expirationSeconds: 7200
          audience: https://storage.yandexcloud.net/mk8s-oidc/v1/clusters/c49i54tk66ob********

    Where:

    • spec:serviceAccountName: Name of the Kubernetes service account you created earlier.
    • spec:volumes:projected:sources:serviceAccountToken:audience: Acceptable Audience values (AUD) value set when creating the federation.

  3. Apply the manifest:

    kubectl apply -f pod.yaml

  4. Make sure the status of the new pod switched to Running:

    kubectl get pod test-wlif

    Result:

    NAME        READY   STATUS    RESTARTS   AGE
test-wlif   1/1     Running   0          1m

  5. Access the container:

    kubectl exec test-wlif -it -- bash

  6. Set the required variables:

    SA_ID="<IAM_service_account_ID>" && \
SECRET_ID="<Lockbox_secret_ID>" && \
SA_TOKEN="$(cat /var/run/secrets/tokens/sa-token)"

    Where:

    • SA_ID: IAM service account ID you got earlier.
    • SECRET_ID: Yandex Lockbox secret ID you got earlier.
    • SA_TOKEN: Kubernetes service account token.

  7. Install jq:

    apt-get update >/dev/null 2>&1 && apt-get install -y jq >/dev/null 2>&1

  8. Get an IAM token:

    IAMTOKEN=$(curl -sH "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange&requested_token_type=urn:ietf:params:oauth:token-type:access_token&audience=${SA_ID}&subject_token=${SA_TOKEN}&subject_token_type=urn:ietf:params:oauth:token-type:id_token" \
  -X POST https://auth.yandex.cloud/oauth/token | jq -r '.access_token')

  9. Get the Yandex Lockbox secret:

    curl -sH "Authorization: Bearer ${IAMTOKEN}" \
  "https://payload.lockbox.api.cloud.yandex.net/lockbox/v1/secrets/${SECRET_ID}/payload"

    Result:

    {
 "entries": [
  {
   "key": "test-secret",
   "textValue": "hello-world"
  }
 ],
 "versionId": "e6qsqiadrsnhduubgijb"
}

How to delete the resources you created

To stop paying for the resources you created:

  • Delete the Yandex Lockbox secret.
  • Delete the Managed Service for Kubernetes node group.
  • Delete the Managed Service for Kubernetes cluster.

See also

Previous
Creating a Kubernetes cluster using the Yandex Cloud provider for the Kubernetes Cluster API
Next
Horizontal scaling of an application in a cluster