Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Configuring permissions for access to a secret created by Yandex Connection Manager for a Yandex Managed Service for PostgreSQL user

Written by
Updated at March 31, 2026

You can get a Managed Service for PostgreSQL user's password from the Yandex Lockbox secret. You can do it via the Yandex Cloud CLI. Do it by permitting the service account you are using to log in to the Yandex Cloud CLI to access the user's secret. You can get the secret-related information you need to configure the permissions from the Connection Manager connection.

To configure permissions for access to a user's secret:

  1. Create the required infrastructure and configure permissions for access to the user's secret.
  2. Get the user password from the secret.

If you no longer need the resources you created, delete them.

Getting started

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can create or select a folder for your infrastructure on the cloud page.

Learn more about clouds and folders here.

Connection Manager and the secrets created with it are free of charge.

Configure permissions for access to a Managed Service for PostgreSQL user's secret

  1. If you do not have Terraform yet, install it.

  2. Get the authentication credentials. You can add them to environment variables or specify them later in the provider configuration file.

  3. Configure and initialize a provider. There is no need to create a provider configuration file manually, you can download it.

    Warning

    Requires Yandex provider version 0.160.0 or higher. If the provider version is not explicitly specified in the configuration, Terraform will automatically download the latest compatible version.

  4. Place the configuration file in a separate working directory and specify the parameter values. If you did not add the authentication credentials to environment variables, specify them in the configuration file.

  5. Download the conn-man-secret-access.tf configuration file to the same working directory.

    This file describes:

    • Managed Service for PostgreSQL cluster.
    • Setting up service account permissions to access the Managed Service for PostgreSQL user's secret.
    • Getting connection ID and secret ID.

  6. Specify the following in the configuration file:

    • network_id: Network ID for the cluster.
    • subnet_id: Subnet ID in the ru-central1-a availability zone for the cluster.
    • pg_cluster_version: PostgreSQL version.
    • pg_cluster_name: Cluster name.
    • pg_cluster_db: Cluster database name.
    • pg_cluster_username: Cluster username.
    • pg_cluster_password: User password.
    • lockbox_sa_id: ID of the service account for which access to the secret will be configured.

  7. Validate your Terraform configuration files using this command:

    terraform validate

    Terraform will display any configuration errors detected in your files.

  8. Create the required infrastructure:

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    All the required resources will be created in the specified folder. You can check resource availability and their settings in the management console.

  9. After you apply the configuration, Terraform will output the connection and secret IDs.

    Here is an example of the command output:

    Outputs:

connection_id = "a59v09bb8907********"
connection_info = "e6q2rjghh9bc********"

    Save the connection_info secret ID for later to get the user password.

Get the user password from the Yandex Lockbox secret

  1. Authenticate to the Yandex Cloud CLI as a service account using an authorized key.

  2. Get the user password from the secret and save it to the PASSWORD variable:

    PASSWORD=$(yc lockbox payload get <secret_ID> \
  --format json \
  | jq -r '.entries[] | select(.key=="postgresql_password") | .text_value')

  3. To view the saved password, run this command:

    echo "$PASSWORD"

Delete the resources you created

Some resources are not free of charge. Delete the resources you no longer need to avoid paying for them:

  1. In the terminal window, go to the directory containing the infrastructure plan.

    Warning

    Make sure the directory has no Terraform manifests with the resources you want to keep. Terraform deletes all resources that were created using the manifests in the current directory.

  2. Delete resources:

    1. Run this command:

      terraform destroy

    2. Confirm deleting the resources and wait for the operation to complete.

    All the resources described in the Terraform manifests will be deleted.

Previous
Using a Yandex Lockbox secret in a PySpark job to connect to Yandex Managed Service for PostgreSQL
Next
Migrating a database from Greenplum® to ClickHouse®