Working with Yandex.Cloud from inside a VM

This section describes how to work with Yandex.Cloud from inside a VM via the API or CLI.

To automate operations with Yandex.Cloud from inside a VM, we recommend using service accounts. This is more secure since you don't need to save your OAuth token on a VM and can restrict access rights for service accounts.

Yandex.Cloud provides simplified authentication via the API and CLI from inside a VM for service accounts. To authenticate:

  1. If you don't have a service account, create one and set up its access rights.
  2. Link the service account to a VM.
  3. Authenticate from inside the VM.

Link your service account to an existing or new VM. You can only link one service account.

To link a service account to a VM, you must have permission to use this account. This permission is included in the iam.serviceAccounts.user role, editor role, and higher.

If you don't have the Yandex.Cloud command line interface yet, install it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

Update the VM parameters by specifying the service account via the --service-account-name or --service-account-id option:

yc compute instance update my-instance --service-account-name test

Use the update method for the Instance resource. In the serviceAccountId property, specify the ID of the service account.

In the management console, you can link a service account that's in the same folder as the new VM. If the service account is in a different folder, use the CLI or API.

To link your service account to a VM, specify it during VM creation. You can select an existing service account or create a new one:

image

If you don't have the Yandex.Cloud command line interface yet, install it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

Create a VM and specify the service account using the --service-account-name or --service-account-id option:

yc compute instance create \
  --name my-instance \
  --network-interface subnet-name=default,nat-ip-version=ipv4 \
  --ssh-key ~/.ssh/id_rsa.pub \
  --service-account-name my-robot

Use the Create method for the Instance resource. In the serviceAccountId property, specify the ID of the service account.

Authenticating from inside a VM

To authenticate from inside a VM on behalf of the linked service account:

  1. Connect to the VM via SSH or RDP.

  2. If you don't have the Yandex.Cloud command line interface yet, install it.

  3. Create a new profile:

    yc config profile create my-robot-profile
    
  4. Configure your profile to run commands.

    Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.

    1. Specify the cloud in your profile:

      $ yc config set cloud-id <cloud ID>
      

      Or run commands with the --cloud-id parameter.

    2. Specify a folder in the profile:

      $ yc config set folder-id <folder ID>
      

      Or use the --folder-id parameter in your commands.

    All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.

    You can also get an IAM token, for example, to authenticate with the API:

    yc iam create-token
    

    IAM token lifetime in this case will be less than 12 hours. Request an IAM token more often, like once per hour or with every operation. To find out the remaining lifetime of the token, use the API instructions.

  1. Connect to the VM via SSH or RDP.

  2. Get an IAM token from metadata in one of the following formats:

    • Google Compute Engine:

      $ curl -H Metadata-Flavor:Google http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
      
      {"access_token":"CggVAgAAA...","expires_in":39944,"token_type":"Bearer"}
      

      The IAM token will be returned in the access_token field of the response. The remaining lifetime of the IAM token is specified in the expires_in field.

    • Amazon EC2:

      $ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/default/
      
      {
        "Code" : "Success",
        "Expiration" : "2019-06-28T04:43:32+00:00",
        "Token" : "CggVAgAAA..."
      }
      

      The IAM token will be returned in the Token field of the response. The IAM token lifetime is specified in the Expiration field.

  3. Specify the received IAM token when accessing Yandex.Cloud resources via the API. Pass the IAM token in the Authorization header in the following format:

    Authorization: Bearer <IAM-TOKEN>
    

Account for your IAM token lifetime or request the token more often, like once per hour or with every operation.