Authenticating as a service account

Learn how to authenticate in the CLI:

• As a service account.
• As a service account from inside a VM.

Before you start

1. Authenticate in the CLI as a user.
2. If you don't have a service account, create one and set up its access rights.

Authenticate as a service account

To authenticate as a service account:

1. Get a list of service accounts that exist in your cloud:

   yc iam service-account --folder-id <folder ID> list
   +----------------------+------------+
   |          ID          |    NAME    |
   +----------------------+------------+
   | aje3932acd0c5ur7dagp | default-sa |
   +----------------------+------------+
   

2. Create an authorized key for the service account and save it to the key.json file:

   yc iam key create --service-account-name default-sa --output key.json
   id: aje83v701b1un777sh40
   service_account_id: aje3932acd0c5ur7dagp
   created_at: "2019-08-26T12:31:25Z"
   key_algorithm: RSA_2048
   

3. Add the service account authorized key to the CLI profile.

   1. Create a new CLI profile:

      yc config profile create sa-profile
      

   2. Add an authorized key:

      yc config set service-account-key key.json
      

4. Make sure that the service account parameters are added correctly:

   yc config list
   service-account-key:
     id: aje83v701b1un777sh40
     service_account_id: aje3932acd0c5ur7dagp
     created_at: "2019-08-26T12:31:25Z"
     key_algorithm: RSA_2048
     public_key: |
       -----BEGIN PUBLIC KEY-----
       MIIBIjANBg...
       -----END PUBLIC KEY-----
     private_key: |
       -----BEGIN PRIVATE KEY-----
       MIIEvwIBAD...
       -----END PRIVATE KEY-----
   

5. Configure your profile to run commands.

   Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.

   1. Specify the cloud in your profile:

      yc config set cloud-id <cloud ID>
      

      Or run commands with the --cloud-id parameter.

   2. Specify a folder in the profile:

      yc config set folder-id <folder ID>
      

      Or use the --folder-id parameter in your commands.

   All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.

Authenticate as a service account from inside a VM

The authentication process from inside a VM is simplified for a service account:

1. Link your service account to a virtual machine.

2. Authenticate from inside a VM:

   1. Connect to the virtual machine over SSH or via RDP.

   2. Create a new profile:

      yc config profile create my-robot-profile
      

3. Configure your profile to run commands.

   Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.

   1. Specify the cloud in your profile:

      yc config set cloud-id <cloud ID>
      

      Or run commands with the --cloud-id parameter.

   2. Specify a folder in the profile:

      yc config set folder-id <folder ID>
      

      Or use the --folder-id parameter in your commands.

   All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.

Read more about working with Yandex.Cloud from a VM in Working with Yandex.Cloud from inside a VM.

See also

• Managing the CLI configuration.
• Creating a profile.
• Activating a profile.
• Managing profile parameters.
• Working with Yandex.Cloud from inside a VM.