Providing Yandex Lockbox secrets to a container
Note
This feature is in the Preview stage.
Yandex Lockbox is designed to store secrets. You can provide a Yandex Lockbox secret to a container via an environment variable.
For a container to get access to a secret, edit its settings to specify a service account with the following roles assigned:
lockbox.payloadViewerfor the secret (learn how to assign access permissions for a secret here).kms.keys.encrypterDecrypterfor the encryption key if the secret was created using a Yandex Key Management Service key (learn how to assign access permissions for an encryption key here).
A Lockbox secret provided to a container is cached in Serverless Containers. After the service account loses access to the secret, the container may retain it for up to five minutes.
Providing Yandex Lockbox secrets creates a new container revision. You cannot provide secrets to an existing revision.
-
In the management console
, select the folder with your container. -
Navigate to Serverless Containers.
-
Select a container you want to provide a secret to.
-
Navigate to the Editor tab.
-
In the window that opens, under Image settings, specify the following in the Lockbox secrets field:
- Name of the environment variable to store the secret.
- Secret ID.
- Secret version ID.
- Key of a key-value pair in the secret version.
-
Click Add.
You can provide multiple secrets to a container. To do this, click Add.
-
Click Create revision. This will create a new container revision with the specified secrets.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
To provide Yandex Lockbox secrets to a container, run this command:
Warning
If secrets were already provided to the previous revision, they will be overwritten.
yc serverless container revision deploy \
--container-name test \
--image cr.yandex/<registry_ID>/repository:tag \
--cores 1 \
--memory 1GB \
--service-account-id <service_account_ID> \
--secret environment-variable=<environment_variable_name>,id=<secret_ID>,version-id=<secret_version_ID>,key=<secret_key>
Where:
-
--container-name: Container name. -
--image: Docker image URL. -
--cores: Number of cores available to the container. -
--memory: Required memory. The default value is 128 MB. -
--service-account-id: ID of the service account with thelockbox.payloadViewerrole. -
--secret:environment-variable: Name of the environment variable that will store the secret.id: Secret ID.version-id: Secret version ID.key: Key of a key-value pairs in the secret version.
You can provide multiple secrets to a container. To do this, specify
--secretas many times as needed.
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), authenticate using the appropriate method.
-
Open the Terraform configuration file and add the
secretssection to the function description:resource "yandex_serverless_container" "test-container" { name = "<container_name>" memory = <memory_size> service_account_id = "<service_account_ID>" secrets { id = "<secret_ID>" version_id = "<secret_version_ID>" key = "<secret_1_key>" environment_variable = "<environment_variable_1_name>" } secrets { id = "<secret_ID>" version_id = "<secret_version_ID>" key = "<secret_2_key>" environment_variable = "<environment_variable_2_name>" } image { url = "<Docker_image_URL>" } }Where:
secrets: Section with secret configuration. It contains the following settings:id: Secret ID. This is a required setting.version_id: Secret version ID. This is a required setting.key: Key of a secret version’s key-value pair that will be stored in the environment variable. This is a required setting.environment_variable: Name of the environment variable that will store the secret. This is a required setting.
For more information about
yandex_serverless_containerproperties, see this provider guide. -
Apply the changes:
-
In the terminal, navigate to the configuration file directory.
-
Make sure the configuration is correct using this command:
terraform validateIf the configuration is valid, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
-
Apply the configuration changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
-
You can check the function update and its settings in the management console
To provide a Yandex Lockbox secret to a container, use the deployRevision REST API method for the Container resource or the ContainerService/DeployRevision gRPC API call.