Getting started with service accounts
IAM lets you create service accounts. These are auxiliary accounts that your programs can use to perform operations in Yandex.Cloud. Service accounts are free-of-charge and let you flexibly manage access for your programs. Learn more in Service accounts.
These instructions are intended for cloud owners and users with the administrator role for a cloud or folder. Users with the editor
role can also create service accounts, but they can't assign roles, so they can't allow a service account to perform operations in Yandex.Cloud.
You will learn how to:
- Create service accounts and assign roles to them.
- Run operations in the CLI.
- Delete service accounts.
Before you start
- If you aren't registered at Yandex.Cloud, go to the management console.
- On the billing page, make sure you linked a billing account and it has the
ACTIVE
orTRIAL_ACTIVE
status. If you don't have a billing account, create one.
Create a service account
To create a service account and assign roles to it:
-
Log in to the management console.
-
Click the line with the name of the folder where you want to create a service account.
-
Go to the Service accounts tab.
-
Click Create service account.
-
Enter the name of the service account.
-
To assign the service account a role for the current folder, click Add role and select a role, for example,
editor
.To assign a role for another resource, use the CLI or API following the instructions Assigning roles to a service account.
-
Click Create.
Configure the CLI to work on behalf of a service account
You can perform operations on behalf of a service account via the API, CLI, and other tools that support service account based authentication. You can't log in to the management console using a service account.
Configure the CLI to work on behalf of a service account:
-
If you don't have the Yandex.Cloud command line interface yet, install and initialize it.
-
Create an authorized key for your service account and save the file:
yc iam key create --service-account-name my-robot --output key.json
If you see
ERROR: service account with name "my-robot" not found
, it means there is no service account with this name in the default folder. If the name is correct, run one of the following commands:-
Specify the folder with the service account using the
--folder-name
or--folder-id
parameter:yc iam key create --folder-name my-folder --service-account-name my-robot --output key.json
-
Specify the service account ID using the
--service-account-id
parameter:yc iam key create --service-account-id b1gnbfd11bq5g5vnjgr4 --output key.json
-
-
Create a profile to execute operations on behalf of the service account:
yc config profile create my-robot-profile
-
Specify the authorized key of the service account in the profile configuration:
yc config set service-account-key key.json
Now you can perform operations on behalf of a service account, such as viewing the list of folders available to this account:
yc resource-manager folder list
Delete the service account
If you no longer need the service account, delete it:
- Go to the folder that the service account belongs to.
- Go to the Service accounts tab.
- Click next to the service account and select Delete service account.
- Confirm the deletion.
What's next
- The step-by-step instructions will help you with your tasks in Identity and Access Management.
- Read more about service accounts in the concepts section.
- See the best practices for using service accounts securely.