Working with Yandex.Cloud from inside a VM
This section describes how to work with Yandex.Cloud from inside a VM via the API or CLI.
To automate operations with Yandex.Cloud from inside a VM, we recommend using service accounts. This is more secure since you don't need to save your OAuth token on a VM and can restrict access rights for service accounts.
Yandex.Cloud provides simplified authentication via the API and CLI from inside a VM for service accounts. To authenticate:
- If you don't have a service account, create one and set up its access rights.
- Link the service account to a VM.
- Authenticate from inside the VM.
Link your service account
Link your service account to an existing or new VM. You can only link one service account.
To link a service account to a VM, you must have permission to use this account. This permission is included in the roles iam.serviceAccounts.user, editor, and higher.
Linking to an existing VM
If you don't have the Yandex.Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
Update the VM parameters by specifying the service account via the --service-account-name or --service-account-id option:
yc compute instance update my-instance --service-account-name test
Linking to a new VM
In the management console, you can link a service account that's in the same folder as the new VM. If the service account is in a different folder, use the CLI or API.
To link your service account to a VM, specify it during VM creation. You can select an existing service account or create a new one:
If you don't have the Yandex.Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
Create a VM and specify the service account using the --service-account-name or --service-account-id option:
yc compute instance create \
--name my-instance \
--network-interface subnet-name=default,nat-ip-version=ipv4 \
--ssh-key ~/.ssh/id_rsa.pub \
--service-account-name my-robot
Authenticating from inside a VM
To authenticate from inside a VM on behalf of the linked service account:
-
If you don't have the Yandex.Cloud command line interface yet, install and initialize it.
-
Create a new profile:
yc config profile create my-robot-profile -
Configure your profile to run commands.
Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.
-
Specify the cloud in your profile:
yc config set cloud-id <cloud ID>Or run commands with the
--cloud-idparameter. -
Specify a folder in the profile:
yc config set folder-id <folder ID>Or use the
--folder-idparameter in your commands.
All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.
You can also get an IAM token, for example, to authenticate with the API:
yc iam create-tokenIAM token lifetime in this case will be less than 12 hours. Request an IAM token more often, like once per hour or with every operation. To find out the remaining lifetime of the token, use the API instructions.
-
-
Get an IAM token from metadata in Google Compute Engine format:
$ curl -H Metadata-Flavor:Google http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token {"access_token":"CggVAgAAA...","expires_in":39944,"token_type":"Bearer"}The IAM token will be returned in the
access_tokenfield of the response. The remaining lifetime of the IAM token is specified in theexpires_infield. -
Specify the received IAM token when accessing Yandex.Cloud resources via the API. Pass the IAM token in the
Authorizationheader in the following format:Authorization: Bearer <IAM-TOKEN>
Account for your IAM token lifetime or request the token more often, like once per hour or with every operation.