Service accounts
A service account is an account that can be used by a program to manage resources in Yandex.Cloud.
What are service accounts used for?
By using service accounts you can flexibly configure access rights to resources for programs you wrote.
For example, you have an app for tracking VM statuses. This program only needs to have the right to view (the viewer role), but the program runs under your name and you have the right to delete VMs.
To prevent your program from accidentally deleting a VM, create a service account and grant it view-only access.
How service accounts differ from other accounts
-
Currently, you can't use service accounts to log in to the management console. We assume that programs, rather than users, perform operations on behalf of service accounts.
-
The service account is a resource. You can assign and revoke roles for a service account from other users. For example, you can allow other people to use this service account to access Yandex.Cloud.
-
You can create keys for the service account to authenticate in Yandex.Cloud via the API, CLI, or other tools. Those keys are deleted when you delete the service account.
-
You can link your service account to virtual machines and functions that you run your program from.
This makes it easier to scale applications running on Yandex.Cloud:
- You don't need to edit the program code to make it run on a new VM or function. The IAM authentication token is already available from inside.
- To enable or disable operations in Yandex.Cloud for all running program instances, you can assign or revoke roles for a single service account.
Service account keys
The following keys are used for service account authentication in Yandex.Cloud:
- Authorized keys — keys used to get an IAM token.
- API keys — keys used in some services for simplified authentication instead of IAM tokens.
- Static access keys — keys used in services with AWS-compatible APIs.
Generated keys belong to the service account and permissions to manage them are inherited from the service account. For example, if you have the viewer role in the service account, you can view the list of keys that belong to this account, but you cannot delete them or create new keys.