Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Secure password transmission to an initialization script using the management console, CLI, or API

Written by
Updated at May 28, 2026

To create a VM while protecting sensitive information in the initialization script using the management console, CLI, or API:

  1. Get your cloud ready.
  2. Create a service account.
  3. Create a KMS key.
  4. Create a secret.
  5. Create a VM.
  6. Log in to Windows.

If you no longer need the resources you created, delete them.

Get your cloud ready

Sign up for Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or create a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can create or select a folder for your infrastructure on the cloud page.

Learn more about clouds and folders here.

The infrastructure support cost includes:

Create a service account

  1. In the management console, select the folder where you want to create your service account.
  2. Go to Identity and Access Management.
  3. Click Create service account.
  4. Enter the service account name, e.g., win-secret-sa.
  5. Click Create.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

To create a service account, run the command below, specifying win-secret-sa as the service account name:

yc iam service-account create --name win-secret-sa

Where name is the service account name.

Result:

id: ajehr0to1g8b********
folder_id: b1gv87ssvu49********
created_at: "2024-03-15T09:03:11.665153755Z"
name: win-secret-sa

To create a service account, use the ServiceAccountService/Create gRPC API call or the create REST API method for the ServiceAccount resource.

Create a KMS key

  1. Create an encryption key:

    1. In the management console, select the folder to create your key pair in.
    2. Go to Key Management Service.
    3. In the left-hand panel, select  Symmetric keys.
    4. Click Create key and specify its attributes:
      • Name: win-secret-key.
      • Encryption algorithm: AES-256.
      • Keep the default values for all other parameters.
    5. Click Create.

    This will create a key and its first version; click the key in the list to open its attribute page.

    Run this command:

    yc kms symmetric-key create \
  --name win-secret-key \
  --default-algorithm aes-256

    Where:

    • --name: Key name.
    • --default-algorithm: Encryption algorithm: aes-128, aes-192, or aes-256.

    Use the create REST API method for the SymmetricKey resource or the SymmetricKeyService/Create gRPC API call.

  2. Assign the kms.keys.encrypterDecrypter role to the win-secret-sa service account:

    1. Navigate to the Access permissions tab on the key page.
    2. On the Service account access permissions page, find the win-secret-sa account in the list and click .
    3. Click Edit roles.
    4. In the dialog that opens, click Add role and select kms.keys.encrypterDecrypter.

    Run this command:

    yc resource-manager folder add-access-binding <folder_ID> \
  --role kms.keys.encrypterDecrypter \
  --subject serviceAccount:<service_account_ID>

    To assign a role for a folder to a service account, use the setAccessBindings REST API method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.

Create a secret

Create a Yandex Lockbox secret to save usernames and passwords of Windows user accounts.

Warning

When selecting passwords, make sure to comply with mandatory password requirements.
These password requirements are:

  • At least 8 characters long.
  • Does not incude the account name.
  • Must include three of the following:
    • Latin uppercase letters (A-Z)
    • Latin lowercase letters (a-z)
    • Numbers (0-9)
    • Non-alphanumeric characters (!, ?, %, $, #, etc.)
  1. Go to Lockbox.
  2. Click Create secret.
  3. In the Name field, specify the secret name: win-secret.
  4. In the KMS key field, specify the win-secret-key key.
  5. Under Version:
    • In the Key field, enter the admin login: Administrator.
    • In the Value, specify the administrator password.
  6. You can add more users if needed by clicking Add key/value and specifying their usernames and passwords.
  7. Click Create.

  1. Run this command:

    yc lockbox secret create \
  --name win-secret \
  --kms-key-id <key_ID> \
  --payload "[{'key': 'Administrator', 'text_value': '<administrator_password>'},{'key': 'user1', 'text_value': '<user_password>'}]" \
  --cloud-id <cloud_ID> \
  --folder-id <folder_ID>

    Where:

    • --name: Secret name (required).
    • --kms-key-id: KMS key ID.
    • --description: Secret description This is an optional setting.
    • --payload: Secret content in YAML or JSON format.
    • --cloud-id: ID of the cloud where you want to create your secret.
    • --folder-id: ID of the folder where you want to create your secret.

To create a secret, use the create REST API method for the Secret resource or the SecretService/Create gRPC API call.

  1. Assign the lockbox.payloadViewer role to the win-secret-sa service account:

    1. Navigate to the Access permissions tab on the secret page.
    2. Navigate to the Access bindings tab.
    3. Find the win-secret-sa account in the list and click .
    4. Click Edit roles.
    5. In the dialog that opens, click Add role and select lockbox.payloadViewer.

    Run this command:

    yc resource-manager folder add-access-binding <folder_ID> \
  --role lockbox.payloadViewer \
  --subject serviceAccount:<service_account_ID>

Create a VM

Create a Windows VM and add the administrator and user accounts to it.

  1. Create the init.ps1 file with the following code:

    #ps1

# logging
Start-Transcript -Path "$ENV:SystemDrive\provision2.txt" -IncludeInvocationHeader -Force
"Bootstrap script started" | Write-Host

# SECRET'S ID:
$SecretID = "<secret_id>"

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$SecretURL = "https://payload.lockbox.api.cloud.yandex.net/lockbox/v1/secrets/$SecretID/payload"

"Secret ID is $SecretID"
"Payload URL is $SecretURL"

$YCToken = (Invoke-RestMethod -Headers @{'Metadata-Flavor'='Google'} -Uri "http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token").access_token
if (!$YCToken) {
    throw "Service Account doesn't connected to VM. Please, add Service account with roles lockbox.payloadViewer and kms.keys.encrypterDecrypter to VM and try again."
}

# Creating parameters for REST-invokations
$Headers = @{
    Authorization="Bearer $YCToken"
}

$Params = @{
    Uri = $SecretURL
    Method = "GET"
    Headers = $Headers
}

# Getting secret via REST invoke
$Secret = Invoke-RestMethod @Params
$SecretAdministratorPlainTextPassword = $Secret.entries[0].textValue

# inserting value's from terraform
if (-not [string]::IsNullOrEmpty($SecretAdministratorPlainTextPassword)) {
    "Set local administrator password" | Write-Host
    $SecretAdministratorPassword = $SecretAdministratorPlainTextPassword | ConvertTo-SecureString -AsPlainText -Force
    # S-1-5-21domain-500 is a well-known SID for Administrator
    # https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows
    $Administrator = Get-LocalUser | Where-Object -Property "SID" -like "S-1-5-21-*-500"
    $Administrator | Set-LocalUser -Password $SecretAdministratorPassword
}

# Creating new users if any
if($Secret.entries.count -gt 1) {
    foreach($User in $Secret.entries[1..($Secret.entries.count-1)]){
        $SecretUserPassword = $User.textValue | ConvertTo-SecureString -AsPlainText -Force
        New-LocalUser -Name $User.key -Password $SecretUserPassword -FullName $User.key
        Add-LocalGroupMember -Group Users -Member $User.key
        Add-LocalGroupMember -Group "Remote Desktop Users" -Member $User.key
    }
}

"Bootstrap script ended" | Write-Host

  2. Replace <secret_id> with the ID of the secret with user account data you created in the previous step.

  3. Create a VM:

    1. In the management console, select the folder where you want to create your VM.
    2. At the top right, click Create resource and select Virtual machine instance.
    3. Under Boot disk image, select the Windows image.
    4. Under Location, select the availability zone where your VM will reside.
    5. Under General information, specify the VM name, e.g., win-test.
    6. Under Advanced, specify the VM access credentials:
    7. Under Metadata:
      • In the Key field, specify user-data.
      • In the Value field, paste the contents of the init.ps1 file.
    8. Click Create VM.

    Run this command:

    yc compute instance create \
  --name win-test \
  --hostname windows10 \
  --zone ru-central1-a \
  --create-boot-disk image-id=<image_ID> \
  --cores 2 \
  --core-fraction 100 \
  --memory 4 \
  --metadata-from-file user-data=init.ps1  \
  --network-interface subnet-name=<subnet_name>,nat-ip-version=ipv4 \
  --service-account-name win-secret-sa \
  --platform standard-v3

    Where:

    • image_id: Windows image ID.
    • subnet_name: Name of the subnet where your VM will get connected.

    Note

    The commands yc compute instance create | create-with-container | update | add-metadata support substitution of environment variable values into VM metadata. When you execute a Yandex Cloud CLI command, these values, specified in the user-data key in $<variable_name> format, will be substituted into the VM metadata from the environment variables of the environment the command is executed in.

    To change such behavior, i.e. to provide a variable name to the VM metadata in $<variable_name> format rather than take the variable value from the CLI command runtime environment, use the two-dollar syntax, e.g., $$<variable_name>.

    For more information, see Specifics of providing environment variables in metadata via the CLI.

Log in to Windows

To make sure the setup created user accounts from your secret, log in to Windows on your VM:

  1. In the management console, select your VM folder.

  2. Go to Compute Cloud.

  3. Select the win-test VM.

  4. Navigate to the Serial console tab.

  5. Under Serial console, select COM2 and click Connect. You will see the command line prompt:

    Computer is booting, SAC started and initialized.                               
                                                                                
Use the "ch -?" command for information about using channels.                   
Use the "?" command for general help.                                           
                                                                                
                                                                                
SAC>                                                                            
EVENT: The CMD command is now available.

  6. Show the list of open channels:

    SAC>ch
Channel List

(Use "ch -?" for information on using channels)

# Status  Channel Name
0 (AV)    SAC

  7. Create a new channel with a shell instance, if required.

    SAC>cmd
The Command Prompt session was successfully launched.
SAC>
EVENT:   A new channel has been created.  Use "ch -?" for channel help.
Channel: Cmd0001

  8. To switch to a channel, press ESC + TAB or run the following command:

    SAC>ch -sn Cmd0001
Name:                  Cmd0001
Description:           Command
Type:                  VT-UTF8
Channel GUID:          e203fb79-d80d-11ea-87e3-c2679e14957d
Application Type GUID: 63d02271-8aa4-11d5-bccf-00b0d014a2d0

Press <esc><tab> for next channel.
Press <esc><tab>0 to return to the SAC channel.
Use any other key to view this channel.

  9. Press Enter and specify the following:

    • Username.
    • Domain, if you logged in under a domain account; otherwise, enter your host name or nothing.
    • Password.
    Please enter login credentials.
Username: Administrator
Domain  :
Password: ***************

  10. If you logged in successfully, you will see the Windows command prompt:

    C:\Windows\system32>

    A successful login means that the setup created user accounts from your secret.

How to delete the resources you created

To stop paying for the resources you created:

See also

Previous
Overview
Next
Terraform