Creating API keys

Instructions for how to create API keys for service accounts. The API key is a private key used for simplified authorization in the Yandex.Cloud API.

If you don't have a service account yet, create one and assign it roles.

To create an API key:

  1. Go to the folder that the service account belongs to.

  2. Go to the Service accounts tab.

  3. Choose a service account and click the line with its name.

  4. Click Create new key in the top panel.

  5. Click Create API key.

  6. Enter a description of the key so that you can easily find it in the management console.

  7. Save the ID and private key.

    After the dialog is closed, the private key value will be unavailable.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id flag.

  1. See the description of the create API key command:

    $ yc iam api-key create --help
    
  2. Select a service account (for example, my-robot):

    $ yc iam service-account list
    +----------------------+------------------+-------------------------------+
    |          ID          |       NAME       |          DESCRIPTION          |
    +----------------------+------------------+-------------------------------+
    | aje6o61dvog2h6g9a33s | my-robot         |                               |
    | aje9sda1ufvqcmfksd3f | blabla           | bla bla bla is my description |
    +----------------------+------------------+-------------------------------+
    
  3. Create an API key for the my-robot service account and write the response to a file:

    $ yc iam api-key create --service-account-name my-robot > api-key.yaml
    

    The response's secret property will contain the API key:

    api_key:
      id: ajeke74kbp5bfq7m6ka2
      service_account_id: ajepg0mjt06siuj65usm
      created_at: "2019-04-09T08:41:27Z"
    secret: AQVN1HHJReSrfo9jU3aopsXrJyfq_UHsssT5ICtm
    

    For information about how to pass the key in a request, read the documentation on the services that support this authorization method.

  1. Find out the service account ID.

  2. Create an API key using the create method for the ApiKey resource:

    $ export SERVICEACCOUNT_ID=aje6o61dvog2h6g9a33s
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer $IAM_TOKEN" \
        -d "{ \"serviceAccountId\": \"$SERVICEACCOUNT_ID\" }" \
        https://iam.api.cloud.yandex.net/iam/v1/apiKeys
    

Examples

Add a description when creating

To make it easier to find an API key without knowing its ID, add a description when creating it:

$ yc iam api-key create --service-account-name my-robot \
    --description "this API-key is for my-robot"
$ export SERVICEACCOUNT_ID=aje6o61dvog2h6g9a33s
$ export IAM_TOKEN=CggaATEVAgA...
$ curl -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $IAM_TOKEN" \
    -d "{
        \"serviceAccountId\": \"$SERVICEACCOUNT_ID\",
        \"description\": \"this API-key is for my-robot\"
    }" \
    https://iam.api.cloud.yandex.net/iam/v1/apiKeys

What's next