A service account is an account that can be used by a program to manage resources in Yandex.Cloud.
What are service accounts used for?
By using service accounts you can flexibly configure access rights to resources for programs you wrote.
For example, you have an app for tracking VM statuses. This program only needs to have the right to view (the viewer role), but the program runs under your name and you have the right to delete VMs.
To prevent your program from accidentally deleting a VM, create a service account and grant it view-only access.
How service accounts differ from other accounts
Currently, you can't use service accounts to log in to the management console. We assume that programs, rather than users, perform operations on behalf of service accounts.
This makes it easier to scale applications running on Yandex.Cloud:
- You don't need to edit the program code to make it run on a new VM or function. The IAM authentication token is already available from inside.
- To enable or disable operations in Yandex.Cloud for all running program instances, you can assign or revoke roles for a single service account.
Service account keys
The following keys are used for service account authentication in Yandex.Cloud:
- Authorized keys — keys used to get an IAM token.
- API keys — keys used in some services for simplified authentication instead of IAM tokens.
- Static access keys — keys used in services with AWS-compatible APIs.
Generated keys belong to the service account and permissions to manage them are inherited from the service account. For example, if you have the
viewer role in the service account, you can view the list of keys that belong to this account, but you cannot delete them or create new keys.