Yandex Cloud
Search
Discuss with expertTry it for free
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
  • Marketplace
    • Featured
    • Infrastructure & Network
    • Data Platform
    • AI for business
    • Security
    • DevOps tools
    • Serverless
    • Monitoring & Resources
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
    • Price calculator
    • Pricing plans
  • Customer Stories
  • Documentation
  • Blog
© 2026 Direct Cursus Technology L.L.C.
Yandex Serverless Containers
  • Comparing with other Yandex Cloud services
    • All guides
    • Getting an IAM token for a service account using a container
      • Making a revision active
      • Changing the container operation mode
      • Adding environment variables
      • Providing Yandex Lockbox secrets
      • Specifying a cloud network
      • Setting the number of concurrent container instance calls
      • Viewing monitoring charts
      • Migrating to the ru-central1-d availability zone
      • Deleting a container
    • Viewing operations with service resources
  • Access management
  • Tools
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Public materials
  • Release notes
  • FAQ
  1. Step-by-step guides
  2. Managing a container
  3. Providing Yandex Lockbox secrets

Providing Yandex Lockbox secrets to a container

Written by
Yandex Cloud
Updated at July 1, 2026
View in Markdown

Note

This feature is in the Preview stage.

Yandex Lockbox is designed to store secrets. You can provide a Yandex Lockbox secret to a container via an environment variable.

For a container to get access to a secret, edit its settings to specify a service account with the following roles assigned:

  • lockbox.payloadViewer for the secret (learn how to assign access permissions for a secret here).
  • kms.keys.encrypterDecrypter for the encryption key if the secret was created using a Yandex Key Management Service key (learn how to assign access permissions for an encryption key here).

A Lockbox secret provided to a container is cached in Serverless Containers. After the service account loses access to the secret, the container may retain it for up to five minutes.

Providing Yandex Lockbox secrets creates a new container revision. You cannot provide secrets to an existing revision.

Management console
CLI
Terraform
API
  1. In the management console, select the folder with your container.

  2. Navigate to Serverless Containers.

  3. Select a container you want to provide a secret to.

  4. Navigate to the Editor tab.

  5. In the window that opens, under Image settings, specify the following in the Lockbox secrets field:

    • Name of the environment variable to store the secret.
    • Secret ID.
    • Secret version ID.
    • Key of a key-value pair in the secret version.
  6. Click Add.

    You can provide multiple secrets to a container. To do this, click Add.

  7. Click Create revision. This will create a new container revision with the specified secrets.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

To provide Yandex Lockbox secrets to a container, run this command:

Warning

If secrets were already provided to the previous revision, they will be overwritten.

yc serverless container revision deploy \
   --container-name test \
   --image cr.yandex/<registry_ID>/repository:tag \
   --cores 1 \
   --memory 1GB \
   --service-account-id <service_account_ID> \
   --secret environment-variable=<environment_variable_name>,id=<secret_ID>,version-id=<secret_version_ID>,key=<secret_key>

Where:

  • --container-name: Container name.

  • --image: Docker image URL.

  • --cores: Number of cores available to the container.

  • --memory: Required memory. The default value is 128 MB.

  • --service-account-id: ID of the service account with the lockbox.payloadViewer role.

  • --secret:

    • environment-variable: Name of the environment variable that will store the secret.
    • id: Secret ID.
    • version-id: Secret version ID.
    • key: Key of a key-value pairs in the secret version.

    You can provide multiple secrets to a container. To do this, specify --secret as many times as needed.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), authenticate using the appropriate method.

  1. Open the Terraform configuration file and add the secrets section to the function description:

    resource "yandex_serverless_container" "test-container" {
      name               = "<container_name>"
      memory             = <memory_size>
      service_account_id = "<service_account_ID>"
      secrets {
        id                   = "<secret_ID>"
        version_id           = "<secret_version_ID>"
        key                  = "<secret_1_key>"
        environment_variable = "<environment_variable_1_name>"
      }
      secrets {
        id                   = "<secret_ID>"
        version_id           = "<secret_version_ID>"
        key                  = "<secret_2_key>"
        environment_variable = "<environment_variable_2_name>"
      }
      image {
        url = "<Docker_image_URL>"
      }
    }
    

    Where:

    • secrets: Section with secret configuration. It contains the following settings:
      • id: Secret ID. This is a required setting.
      • version_id: Secret version ID. This is a required setting.
      • key: Key of a secret version’s key-value pair that will be stored in the environment variable. This is a required setting.
      • environment_variable: Name of the environment variable that will store the secret. This is a required setting.

    For more information about yandex_serverless_container properties, see this provider guide.

  2. Apply the changes:

    1. In the terminal, navigate to the configuration file directory.

    2. Make sure the configuration is correct using this command:

      terraform validate
      

      If the configuration is valid, you will get this message:

      Success! The configuration is valid.
      
    3. Run this command:

      terraform plan
      

      You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.

    4. Apply the configuration changes:

      terraform apply
      
    5. Type yes and press Enter to confirm the changes.

You can check the function update and its settings in the management console.

To provide a Yandex Lockbox secret to a container, use the deployRevision REST API method for the Container resource or the ContainerService/DeployRevision gRPC API call.

Was the article helpful?

Previous
Adding environment variables
Next
Specifying a cloud network
© 2026 Direct Cursus Technology L.L.C.