Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Creating an access key

Written by
Updated at April 8, 2026

To use Object Storage via the S3 API you need an access key. Access keys are created in Identity and Access Management using a service account.

Getting started

  1. Make sure you have a project.
  2. Make sure there is a bucket in your project.

  1. Create a service account in your project:

    kubectl create serviceaccount <service_account_name> -n <project_name>

  2. Assign to the service account the storage.editor role for access to buckets:

    apiVersion: iam.stackland.yandex.cloud/v1alpha1
kind: AccessBinding
metadata:
  name: <service_account_name>-storage-access
  namespace: <project_name>
spec:
  roleID: storage.editor
  subject:
    kind: ServiceAccount
    name: <service_account_name>
    namespace: <project_name>

    Save the manifest to a file named access-binding.yaml and apply it:

    kubectl apply -f access-binding.yaml

  3. Create a static access key for the service account:

    apiVersion: iam.stackland.yandex.cloud/v1alpha1
kind: APIKey
metadata:
  name: <service_account_name>-s3-key
  namespace: <project_name>
spec:
  serviceAccountRef:
    name: <service_account_name>
  secretName: <service_account_name>-s3-credentials

    Save the manifest to a file named api-key.yaml and apply it:

    kubectl apply -f api-key.yaml

  4. Get the access key and secret key from the secret you created:

    export AWS_ACCESS_KEY_ID=$(kubectl get secret -n <project_name> <service_account_name>-s3-credentials -o jsonpath='{.data.accessKeyId}' | base64 -d)
export AWS_SECRET_ACCESS_KEY=$(kubectl get secret -n <project_name> <service_account_name>-s3-credentials -o jsonpath='{.data.secretAccessKey}' | base64 -d)

  5. Check your connection to Object Storage:

    export CLUSTER_DOMAIN=$(kubectl get platformenvironments main -o jsonpath='{.status.clusterDomain}')
aws --endpoint-url=https://storage.sys.$CLUSTER_DOMAIN s3 ls

  1. If you have not opened a project yet, select one.

  2. In the left-hand menu, select Service accounts.

  3. Click Create service account.

  4. Enter a name for the service account and click Create.

  5. Select the new service account.

  6. Go to the Access keys tab.

  7. Click Create key.

  8. Save the Access Key ID and Secret Access Key.

    Warning

    The secret key is only displayed once. Save it to a secure location.

  9. Assign the storage.editor role to the service account:

    1. Go to the Access permissions section of your project.
    2. Click Assign role.
    3. Select the storage.editor role.
    4. Select the new service account as the subject.
    5. Click Assign.

Available roles

  • storage.viewer: Allows you to read objects and get a bucket list.
  • storage.editor: Allows you to read, create, edit, and delete objects.
  • storage.admin: Full access to Object Storage, including bucket settings management.

What's next

Previous
Creating a bucket
Next
Deleting a bucket