Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Solutions
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for a service account
      • Creating static access keys
      • Getting the service account ID
      • Deleting service accounts
    • Identity federations
      • Authentication using Active Directory
      • Authentication using G Suite
      • Authentication using an identity federation
      • Adding users
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • SAML-compatible identity federations
    • Quotas and limits
  • How to use Yandex.Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • Federation
        • Overview
        • update
        • list
        • listUserAccounts
        • get
        • delete
        • addUserAccounts
        • create
        • listOperations
      • Certificate
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
      • AccessKey
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on the same page
  1. Step-by-step instructions
  2. Keys
  3. Creating API keys

Creating API keys

  • Examples
    • Add a description when creating

Instructions for how to create API keys for service accounts. The API key is a private key used for simplified authorization in the Yandex.Cloud API.

If you don't have a service account yet, create one and assign it roles.

To create an API key:

Management console
CLI
API
  1. Go to the folder that the service account belongs to.

  2. Go to the Service accounts tab.

  3. Choose a service account and click the line with its name.

  4. Click Create new key in the top panel.

  5. Click Create API key.

  6. Enter a description of the key so that you can easily find it in the management console.

  7. Save the ID and private key.

    After the dialog is closed, the private key value will be unavailable.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the create API key command:

    $ yc iam api-key create --help
    
  2. Select a service account (for example, my-robot):

    $ yc iam service-account list
    +----------------------+------------------+-------------------------------+
    |          ID          |       NAME       |          DESCRIPTION          |
    +----------------------+------------------+-------------------------------+
    | aje6o61dvog2h6g9a33s | my-robot         |                               |
    | aje9sda1ufvqcmfksd3f | blabla           | bla bla bla is my description |
    +----------------------+------------------+-------------------------------+
    
  3. Create an API key for the my-robot service account and write the response to a file:

    $ yc iam api-key create --service-account-name my-robot > api-key.yaml
    

    The response's secret property will contain the API key:

    api_key:
      id: ajeke74kbp5bfq7m6ka2
      service_account_id: ajepg0mjt06siuj65usm
      created_at: "2019-04-09T08:41:27Z"
    secret: AQVN1HHJReSrfo9jU3aopsXrJyfq_UHsssT5ICtm
    

    For information about how to pass the key in a request, read the documentation on the services that support this authorization method.

  1. Find out the service account ID.

  2. Create an API key using the create method for the ApiKey resource:

    $ export SERVICEACCOUNT_ID=aje6o61dvog2h6g9a33s
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer $IAM_TOKEN" \
        -d "{ \"serviceAccountId\": \"$SERVICEACCOUNT_ID\" }" \
        https://iam.api.cloud.yandex.net/iam/v1/apiKeys
    

Examples

Add a description when creating

To make it easier to find an API key without knowing its ID, add a description when creating it:

CLI
API
$ yc iam api-key create --service-account-name my-robot \
    --description "this API-key is for my-robot"
$ export SERVICEACCOUNT_ID=aje6o61dvog2h6g9a33s
$ export IAM_TOKEN=CggaATEVAgA...
$ curl -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $IAM_TOKEN" \
    -d "{
        \"serviceAccountId\": \"$SERVICEACCOUNT_ID\",
        \"description\": \"this API-key is for my-robot\"
    }" \
    https://iam.api.cloud.yandex.net/iam/v1/apiKeys

What's next

  • Find out what services support API keys
Language / Region
Careers
Privacy policy
Terms of use
Brandbook
© 2021 Yandex.Cloud LLC