Setting up AWS tools
To access the database via the Document API in AWS DynamoDB-compatible mode, you can use AWS tools:
Warning
You can only access document tables using the Document API.
To use the AWS tools, follow these steps:
-
Create a service account on behalf of which you are going to access the database.
The service account must be created in the same folder with the database.
Management consoleCLIAPI-
Go to the management console
. -
On the left side of the screen, click the line with the name of the folder where you want to create a service account.
-
In the list of services, select Identity and Access Management.
-
Click Create service account.
-
Enter a name for the service account.
The name format requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
Make sure the service account name is unique within your cloud.
-
Click Create.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter.-
Check the description of the command for creating a service account:
yc iam service-account create --help
-
Create a service account named
my-robot
:yc iam service-account create --name my-robot
Naming requirements for service accounts:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
To create a service account, use the create method for the ServiceAccount resource.
-
-
Assign the
editor
role to the service account.You can assign roles to a service account for any resources in any cloud if these resources belong to the same organization as the service account. You can also assign roles to a service account for the organization.
Assigning a role for a resource
Child resources inherit access permissions from their parent resources. For example, if a service account gets a role for a cloud, it will also get the required permissions for all resources across the cloud's folders.
Learn which resources you can assign a role for.
To assign a role for a resource:
Management consoleCLITerraformAPIYou assign roles to a service account the same way as to a user account.
To assign a service account a role for a cloud or folder:
- In the management console
, select the cloud or folder. - Go to the Access bindings tab.
- Click Configure access.
- In the window that opens, select Service accounts.
- Select the service account from the list or use the search to locate it.
- Click
Add role and select the role from the list or use the search bar to locate it. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter.To assign a service account a role for a cloud or folder, run this command:
yc resource-manager <resource_category> add-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject serviceAccount:<service_account_ID>
Where:
<resource_category>
:cloud
to assign a role for a cloud orfolder
to assign a role for a folder.<resource_name_or_ID>
: Name or ID of the resource to assign a role for.--role
: Role ID, e.g.,viewer
.--subject serviceAccount
: ID of the service account getting the role.
For example, to assign a service account the
viewer
role for the folder namedmy-folder
:-
Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Find out the service account ID by its name:
yc iam service-account get my-robot
Result:
id: aje6o61dvog2******** folder_id: b1gvmob95yys******** created_at: "2018-10-15T18:01:25Z" name: my-robot
If you don't know the name of the service account, get a list of service accounts with their IDs:
yc iam service-account list
Result:
+----------------------+------------------+-----------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-----------------+ | aje6o61dvog2******** | my-robot | my description | +----------------------+------------------+-----------------+
-
Assign the
viewer
role to themy-robot
service account using its ID:yc resource-manager folder add-access-binding my-folder \ --role viewer \ --subject serviceAccount:aje6o61dvog2********
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
Here is an example of the configuration file structure:
resource "yandex_resourcemanager_folder_iam_member" "admin-account-iam" { folder_id = "<folder_ID>" role = "<role>" member = "serviceAccount:<service_account_ID>" }
Where:
folder_id
: Folder ID. This is a required parameter.role
: Role you want to assign. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference. This is a required parameter.member
: ID of the service account getting the role. Use this format:serviceAccount:<service_account_ID>
. This is a required parameter.
For more information about the resources you can create with Terraform, see the provider documentation
. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-
To assign the service account a role for a cloud or folder, use the
updateAccessBindings
REST API method for the Cloud or Folder resource:-
Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Get the ID of the service accounts folder.
-
Get an IAM token required for authorization in the Yandex Cloud API.
-
Get a list of folder service accounts to find out their IDs:
export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl \ --header "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2d********", "folderId": "b1gvmob95yys********", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] }
-
Create the request body, e.g., in the
body.json
file. Set theaction
property toADD
androleId
to the appropriate role, such aseditor
, and specify theserviceAccount
type and service account ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "ajebqtreob2d********", "type": "serviceAccount" } } }] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer ${IAM_TOKEN}" \ --data '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
Assigning a role for an organization
Access permissions are inherited from an organization by all resources created in the organization. For example, if a service account gets a role for an organization, it will also get the required permissions for all resources across the organization's clouds.
To grant a service account permissions to access an organization, you need the
organization-manager.admin
role or higher.Cloud Center interfaceCLITerraformAPI-
Log in to Yandex Cloud Organization
using an administrator or organization owner account. -
In the left-hand panel, select
Access bindings. -
In the Account type filter, select
Service accounts
. -
If the service account you need already has at least one role assigned, click
in the row with that service account and select Assign bindings.If the service account is not on the list, click Assign bindings in the top-right corner. In the window that opens, go to Service accounts and select the account from the list or use the search bar to locate it.
-
Click
Add role and select the role to assign to the service account. You can assign multiple roles.You can find the description of the available roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter.To assign a service account a role for an organization, run this command:
yc organization-manager organization add-access-binding <organization_name_or_ID> \ --role <role_ID> \ --subject serviceAccount:<service_account_ID>
Where:
<organization_name_or_ID>
: Technical name or ID of the organization.--role
: Role ID, e.g.,viewer
.--subject serviceAccount
: ID of the service account getting the role.
For example, to assign a service account the
viewer
role for theMyOrg
organization:-
Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Get a list of available organizations to find out their IDs and technical names:
yc organization-manager organization list
Result:
+---------------------------------+---------------------------------+----------------------+ | ID | NAME | TITLE | +---------------------------------+---------------------------------+----------------------+ | bpf1smsil5q0******** | hdt5j5uw******** | MyOrg | +---------------------------------+---------------------------------+----------------------+
The organization's technical name is in the
NAME
column and its ID, in theID
column. -
Find out the service account ID by its name:
yc iam service-account get my-robot
Result:
id: aje6o61dvog2******** folder_id: b1gvmob95yys******** created_at: "2018-10-15T18:01:25Z" name: my-robot
If you do not know the name of the service account, get a complete list of service accounts with their IDs:
yc iam service-account list
Result:
+----------------------+------------------+-----------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-----------------+ | aje6o61dvog2******** | my-robot | my description | +----------------------+------------------+-----------------+
-
Assign the
my-robot
service account theviewer
role for the organization with thebpf1smsil5q0********
ID:yc organization-manager organization add-access-binding bpf1smsil5q0******** \ --role viewer \ --subject serviceAccount:aje6o61dvog2********
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
Here is an example of the configuration file structure:
resource "yandex_organizationmanager_organization_iam_binding" "editor" { organization_id = "<organization_ID>" role = "<role>" members = [ "serviceAccount:<service_account_ID>", ] }
Where:
organization_id
: Organization ID. This is a required parameter.role
: Role you want to assign. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference. For each role, you can only use oneyandex_organization manager_organization_iam_binding
resource. This is a required parameter.members
: ID of the service account getting the role. Use this format:serviceAccount:<service_account_ID>
. This is a required parameter.
For more information about the resources you can create with Terraform, see the provider documentation
. -
Make sure the configuration files are correct.
-
In the command line, go to the folder where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of the assigned roles. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
This will create the required resources in the specified organization. You can check the new resource using the management console
or this CLI command:yc organization-manager organization list-access-bindings <organization_name_or_ID>
-
To assign the service account a role for the organization, use the updateAccessBindings REST API method for the Organization resource:
-
Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Get the ID of the service accounts folder.
-
Get an IAM token required for authorization in the Yandex Cloud API.
-
Get a list of folder service accounts to find out their IDs:
export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl \ --header "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2d********", "folderId": "b1gvmob95yys********", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] }
-
Get a list of organizations to find out their IDs:
export IAM_TOKEN=CggaATEVAgA... curl \ --header "Authorization: Bearer ${IAM_TOKEN}" \ --request GET \ "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations"
Result:
{ "organizations": [ { "id": "bpfaidqca8vd********", "createdAt": "2023-04-07T08:11:54.313033Z", "name": "xvdq9q22********", "title": "MyOrg" } ] }
-
Create the request body, e.g., in the
body.json
file. Set theaction
property toADD
androleId
to the appropriate role, such asviewer
, and specify theserviceAccount
type and service account ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "viewer", "subject": { "id": "ajebqtreob2d********", "type": "serviceAccount" } } }] }
-
Assign a role to a service account. For example, assign it for the organization with the
bpfaidqca8vd********
ID:export ORGANIZATION_ID=bpfaidqca8vd******** export IAM_TOKEN=CggaATEVAgA... curl \ --header "Content-Type: application/json" \ --header "Authorization: Bearer ${IAM_TOKEN}" \ --data '@body.json' \ --request POST \ "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"
- In the management console
-
Get the key ID and access key of the created service account:
Management consoleCLIAPI-
Go to the folder that the service account belongs to.
-
In the list of services, select Identity and Access Management.
-
In the left-hand panel, select
Service accounts and select the required service account. -
Click Create new key in the top panel.
-
Select Create static access key.
-
Enter a description of the key so that you can easily find it in the management console.
-
Save the ID and secret key.
Alert
After you close the dialog, the private key value will become unavailable.
The folder specified in the CLI profile is used by default. You can specify a different folder using the
--folder-name
or--folder-id
parameter.-
See the description of the create static access key command:
yc iam access-key create --help
-
Select a service account, e.g.,
my-robot
:yc iam service-account list +----------------------+------------------+-------------------------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-------------------------------+ | aje6o61dvog2******** | my-robot | | ...
-
Create an access key for the
my-robot
service account:yc iam access-key create --service-account-name my-robot access_key: id: aje6t3vsbj8l******** service_account_id: ajepg0mjt06s******** created_at: "2018-11-22T14:37:51Z" key_id: 0n8X6WY6S24N******** secret: JyTRFdqw8t1kh2-OJNz4JX5ZTz9Dj1rI********
-
Save the ID (
key_id
) and secret key (secret
). You will not be able to get the key value again.
-
-
Install the AWS CLI
. -
Configure the AWS CLI environment: Run the
aws configure
command and enter the previously saved key ID and secret access key one by one. Useru-central1
as the region:aws configure AWS Access Key ID [None]: AKIAIOSFODNN******** AWS Secret Access Key [None]: wJalr********/*******/bPxRfiCYEX******** Default region name [None]: ru-central1 Default output format [None]:
This will create the
~/.aws/credentials
and~/.aws/config
files (C:\Users\USERNAME\.aws\credentials
andC:\Users\USERNAME\.aws\config
on Windows). -
Check that the settings are correct by running the table listing command against the created DB. For
--endpoint
, specify the Document API endpoint available in the Overview tab of your database in the management console .aws dynamodb list-tables \ --endpoint https://docapi.serverless.yandexcloud.net/ru-central1/b1gia87mbaomkfvs6rgl/etnudu2n9ri35luqe4h1
Result:
{ "TableNames": [ ] }