Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

yandex_iam_service_account_api_key (Resource)

Written by
Updated at September 11, 2025

Allows management of a Yandex Cloud IAM service account API key. The API key is a private key used for simplified authorization in the Yandex Cloud API. API keys are only used for service accounts.

API keys do not expire. This means that this authentication method is simpler, but less secure. Use it if you can't automatically request an IAM token.

Example usage

//
// Create a new IAM Service Account API Key.
//
resource "yandex_iam_service_account_api_key" "sa-api-key" {
  service_account_id = "aje5a**********qspd3"
  description        = "api key for authorization"
  scopes             = ["yc.ydb.topics.manage", "yc.ydb.tables.manage"]
  expires_at         = "2024-11-11T00:00:00Z"
  pgp_key            = "keybase:keybaseusername"
}

Schema

Required

  • service_account_id (String) ID of the service account to an API key for.

Optional

  • description (String) The resource description.
  • expires_at (String) The key will be no longer valid after expiration timestamp.
  • output_to_lockbox (Block List, Max: 1) option to create a Lockbox secret version from sensitive outputs (see below for nested schema)
  • pgp_key (String) An optional PGP key to encrypt the resulting secret key material. May either be a base64-encoded public key or a keybase username in the form keybase:keybaseusername.
  • scope (String, Deprecated) The scope of the key.
  • scopes (List of String) The list of scopes of the key.

Read-Only

  • created_at (String) The creation timestamp of the resource.
  • encrypted_secret_key (String) The encrypted secret key, base64 encoded. This is only populated when pgp_key is supplied.
  • id (String) The ID of this resource.
  • key_fingerprint (String) The fingerprint of the PGP key used to encrypt the secret key. This is only populated when pgp_key is supplied.
  • output_to_lockbox_version_id (String) ID of the Lockbox secret version that contains the value of secret_key. This is only populated when output_to_lockbox is supplied. This version will be destroyed when the IAM key is destroyed, or when output_to_lockbox is removed.
  • secret_key (String, Sensitive) The secret key. This is only populated when neither pgp_key nor output_to_lockbox are provided.

Nested Schema for output_to_lockbox

Required:

  • entry_for_secret_key (String) entry that will store the value of secret_key
  • secret_id (String) ID of the Lockbox secret where to store the sensible values.

Import

Warning

Import for this resource is not implemented yet.

Previous
iam_service_account
Next
iam_service_account_iam_binding