Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Solutions
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for a service account
      • Creating static access keys
      • Getting the service account ID
      • Deleting service accounts
    • Identity federations
      • Authentication using Active Directory
      • Authentication using G Suite
      • Authentication using an identity federation
      • Adding users
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • SAML-compatible identity federations
    • Quotas and limits
  • How to use Yandex.Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • Federation
        • Overview
        • update
        • list
        • listUserAccounts
        • get
        • delete
        • addUserAccounts
        • create
        • listOperations
      • Certificate
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
      • AccessKey
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on the same page
  1. Concepts
  2. Service accounts

Service accounts

  • What are service accounts used for?
  • How service accounts differ from other accounts
  • Service account keys

A service account is an account that can be used by a program to manage resources in Yandex.Cloud.

What are service accounts used for?

By using service accounts you can flexibly configure access rights to resources for programs you wrote.

For example, you have an app for tracking VM statuses. This program only needs to have the right to view (the viewer role), but the program runs under your name and you have the right to delete VMs.

To prevent your program from accidentally deleting a VM, create a service account and grant it view-only access.

How service accounts differ from other accounts

  • Currently, you can't use service accounts to log in to the management console. We assume that programs, rather than users, perform operations on behalf of service accounts.

  • The service account is a resource. You can assign and revoke roles for a service account from other users. For example, you can allow other people to use this service account to access Yandex.Cloud.

  • You can create keys for the service account to authenticate in Yandex.Cloud via the API, CLI, or other tools. Those keys are deleted when you delete the service account.

  • You can link your service account to virtual machines and functions that you run your program from.

    This makes it easier to scale applications running on Yandex.Cloud:

    • You don't need to edit the program code to make it run on a new VM or function. The IAM authentication token is already available from inside.
    • To enable or disable operations in Yandex.Cloud for all running program instances, you can assign or revoke roles for a single service account.

Service account keys

The following keys are used for service account authentication in Yandex.Cloud:

  • Authorized keys — keys used to get an IAM token.
  • API keys — keys used in some services for simplified authentication instead of IAM tokens.
  • Static access keys — keys used in services with AWS-compatible APIs.

Generated keys belong to the service account and permissions to manage them are inherited from the service account. For example, if you have the viewer role in the service account, you can view the list of keys that belong to this account, but you cannot delete them or create new keys.

See also

  • Getting started with service accounts
  • Authorization on behalf of a service account
In this article:
  • What are service accounts used for?
  • How service accounts differ from other accounts
  • Service account keys
Language / Region
Careers
Privacy policy
Terms of use
Brandbook
© 2021 Yandex.Cloud LLC