Getting started with service accounts

IAM lets you create service accounts. These are auxiliary accounts that your programs can use to perform operations in Yandex.Cloud. Service accounts are free-of-charge and let you flexibly manage access for your programs. Learn more in Service accounts.

These instructions are intended for cloud owners and users with the administrator role for a cloud or folder. Users with the editor role can also create service accounts, but they can't assign roles, so they can't allow a service account to perform operations in Yandex.Cloud.

You will learn how to:

• Create service accounts and assign roles to them.
• Run operations in the CLI.
• Delete service accounts.

Before you start

1. If you aren't registered at Yandex.Cloud, go to the management console.
2. On the billing page, make sure you linked a billing account and it has the ACTIVE or TRIAL_ACTIVE status. If you don't have a billing account, create one.

Create a service account

To create a service account and assign roles to it:

1. Log in to the management console.

2. Click the line with the name of the folder where you want to create a service account.

3. Go to the Service accounts tab.

4. Click Create service account.

5. Enter the name of the service account.

6. To assign the service account a role for the current folder, click Add role and select a role, for example, editor.

   To assign a role for another resource, use the CLI or API following the instructions Assigning roles to a service account.

7. Click Create.

Configure the CLI to work on behalf of a service account

You can perform operations on behalf of a service account via the API, CLI, and other tools that support service account based authentication. You can't log in to the management console using a service account.

Configure the CLI to work on behalf of a service account:

1. If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

2. Create an authorized key for your service account and save the file:

   yc iam key create --service-account-name my-robot --output key.json
   

   If you see ERROR: service account with name "my-robot" not found, it means there is no service account with this name in the default folder. If the name is correct, run one of the following commands:

   • Specify the folder with the service account using the --folder-name or --folder-id parameter:

     yc iam key create --folder-name my-folder --service-account-name my-robot --output key.json
     

   • Specify the service account ID using the --service-account-id parameter:

     yc iam key create --service-account-id b1gnbfd11bq5g5vnjgr4 --output key.json
     

3. Create a profile to execute operations on behalf of the service account:

   yc config profile create my-robot-profile
   

4. Specify the authorized key of the service account in the profile configuration:

   yc config set service-account-key key.json
   

Now you can perform operations on behalf of a service account, such as viewing the list of folders available to this account:

yc resource-manager folder list

Delete the service account

If you no longer need the service account, delete it:

1. Go to the folder that the service account belongs to.
2. Go to the Service accounts tab.
3. Click next to the service account and select Delete service account.
4. Confirm the deletion.

What's next

• The step-by-step instructions will help you with your tasks in Identity and Access Management.
• Read more about service accounts in the concepts section.
• See the best practices for using service accounts securely.