Get started
Command line interface

Authenticating as a service account

Written by
,
improved by

Learn how to authenticate in the CLI:

Before you start

  1. Authenticate in the CLI as a user.
  2. If you don't have a service account, create one and set up its access rights.

Authenticate as a service account

To authenticate as a service account:

  1. Get a list of service accounts that exist in your cloud:

    $ yc iam service-account --folder-id <folder ID> list
+----------------------+------------+
|          ID          |    NAME    |
+----------------------+------------+
| aje3932acd0c5ur7dagp | default-sa |
+----------------------+------------+

  2. Create an authorized key for the service account and save it to the key.json file:

    $ yc iam key create --service-account-name default-sa --output key.json
id: aje83v701b1un777sh40
service_account_id: aje3932acd0c5ur7dagp
created_at: "2019-08-26T12:31:25Z"
key_algorithm: RSA_2048

  3. Add the service account authorized key to the CLI profile.

    1. Create a new CLI profile:

      $ yc config profile create sa-profile

    2. Add an authorized key:

      $ yc config set service-account-key key.json

  4. Make sure that the service account parameters are added correctly:

    $ yc config list
service-account-key:
  id: aje83v701b1un777sh40
  service_account_id: aje3932acd0c5ur7dagp
  created_at: "2019-08-26T12:31:25Z"
  key_algorithm: RSA_2048
  public_key: |
    -----BEGIN PUBLIC KEY-----
    MIIBIjANBg...
    -----END PUBLIC KEY-----
  private_key: |
    -----BEGIN PRIVATE KEY-----
    MIIEvwIBAD...
    -----END PRIVATE KEY-----

  5. Configure your profile to run commands.

    Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.

    1. Specify the cloud in your profile:

      $ yc config set cloud-id <cloud ID>

      Or run commands with the --cloud-id parameter.

    2. Specify a folder in the profile:

      $ yc config set folder-id <folder ID>

      Or use the --folder-id parameter in your commands.

    All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.

Authenticate as a service account from inside a VM

The authentication process from inside a VM is simplified for a service account:

  1. Link your service account to a virtual machine.

  2. Authenticate from inside a VM:

    1. Connect to the virtual machine over SSH or via RDP.

    2. Create a new profile:

      yc config profile create my-robot-profile

  3. Configure your profile to run commands.

    Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.

    1. Specify the cloud in your profile:

      $ yc config set cloud-id <cloud ID>

      Or run commands with the --cloud-id parameter.

    2. Specify a folder in the profile:

      $ yc config set folder-id <folder ID>

      Or use the --folder-id parameter in your commands.

    All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.

Read more about working with Yandex.Cloud from a VM in Working with Yandex.Cloud from inside a VM.

See also

In this article: