Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Tutorials
    • All tutorials
    • Differentiation of access permissions for user groups
    • Creating an L7 load balancer with a Smart Web Security security profile through an Application Load Balancer Ingress controller
    • Centralized online publication and app protection against DDoS attacks
    • Delivering logs from a VM instance to Cloud Logging
    • Storing load balancer logs to PostgreSQL
    • Secure storage of GitLab CI passwords as Yandex Lockbox secrets
    • Service account with an OS Login profile for VM management via Ansible
    • Transferring logs from Container Optimized Image to Cloud Logging
    • Adding an HTML page to work with SmartCaptcha
    • Creating an L7 load balancer with a security profile
    • Alert settings in Monitoring
    • Exporting audit logs to MaxPatrol SIEM
    • Exporting audit logs to SIEM Splunk systems
    • Uploading audit logs to ArcSight SIEM
    • Server-side encryption for an Object Storage bucket
    • Encrypting secrets in Hashicorp Terraform
    • Managing KMS keys with Hashicorp Terraform
    • Auto Unseal in Hashicorp Vault

In this article:

  • Adding keys
  • Managing key access
  • See also
  1. Security
  2. Managing KMS keys with Hashicorp Terraform

Managing Yandex Key Management Service keys with Hashicorp Terraform

Written by
Yandex Cloud
Improved by
Danila N.
Updated at April 22, 2025
  • Adding keys
  • Managing key access
  • See also

The Terraform provider for Yandex Cloud supports the use of Yandex Key Management Service keys.

Adding keysAdding keys

To create a key:

  1. Describe the parameters of the yandex_kms_symmetric_key resource in the configuration file:

    resource "yandex_kms_symmetric_key" "key-a" {
      name                = "<key_name>"
      description         = "<key_description>"
      default_algorithm   = "AES_128"
      rotation_period     = "8760h"
      deletion_protection = true
      lifecycle {
        prevent_destroy = true
      }
    }
    

    Where:

    • name: Key name. The name format is as follows:

      • It must be from 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.
    • description: Key description.

    • default_algorithm: Encryption algorithm. The possible values are AES-128, AES-192, or AES-256.

    • rotation_period: Rotation period (how often to change key versions). To create a key without automatic rotation, do not specify the rotation_period parameter.

    • deletion_protection: Key deletion protection. To create a key without deletion protection, do not specify the deletion_protection parameter.

    • lifecycle.prevent_destroy: Key deletion protection when running Terraform commands. To create a key without such protection, do not specify the lifecycle section.

    Warning

    Deleting a KMS key destroys all data encrypted with that key: the data becomes unrecoverable after the key is deleted. The deletion_protection parameter and the lifecycle section are required to prevent the deletion of the key (e.g., with the terraform destroy command).

    For more information about resource parameters in Terraform, see the provider documentation.

  2. Check the configuration using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  3. Run this command:

    terraform plan
    

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply
    
  5. Confirm the changes: type yes into the terminal and press Enter.

    This will create all the resources you need in the specified folder. You can check the new resources and their configuration using the management console or these CLI commands:

    yc kms symmetric-key list
    

Managing key accessManaging key access

To manage access to keys in Terraform, assign the necessary roles for the folder that contains the key.

For example, assign the kms.keys.encrypterDecrypter role to the service account permitting it to encrypt and decrypt data with keys from a specific folder:

resource "yandex_resourcemanager_folder_iam_member" "admin" {
  folder_id = "<folder_ID>"
  role      = "kms.keys.encrypterDecrypter"
  member    = "serviceAccount:<service_account_ID>"
}

See alsoSee also

  • Getting started with Terraform.
  • Access management in Key Management Service.
  • Yandex Cloud provider documentation.
  • Encrypting data using the Yandex Cloud CLI and API.

Was the article helpful?

Previous
Encrypting secrets in Hashicorp Terraform
Next
Auto Unseal in Hashicorp Vault
© 2025 Direct Cursus Technology L.L.C.