Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Solutions
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Compute Cloud
  • Getting started
    • Overview
    • Creating a Linux VM
    • Creating a Windows VM
    • Creating instance groups
  • Step-by-step instructions
    • All instructions
    • Creating VMs
      • Creating a Linux VM
      • Creating a Windows VM
      • Creating a VM from a set of disks
      • Creating a VM with disks restored from snapshots
      • Creating a VM from a custom image
      • Creating a preemptible VM
      • Creating a VM with a GPU
    • DSVM
      • Overview
      • Creating a VM from a public DSVM image
    • Placement groups
      • Creating a placement group
      • Deleting a placement group
      • Creating a VM in a placement group
      • Adding a VM to a placement group
      • Removing a VM instance from a placement group
    • Images with pre-installed software
      • Creating a VM from a public image
      • Configuring software
      • Working with a VM based on a public image
      • Getting a list of public images
    • Getting information about a VM
      • Getting information about a VM
      • Viewing serial port output
    • Managing VMs
      • Stopping and starting a VM
      • Attaching a disk to a VM
      • Detaching a disk from a VM
      • Moving a VM to a different availability zone
      • Making a VM's public IP address static
      • Updating a VM
      • Changing VM computing resources
      • Deleting a VM
    • Working on VMs
      • Connecting to a VM via SSH
      • Connecting to a VM via RDP
      • Working with Yandex.Cloud from inside a VM
      • Installing NVIDIA drivers
    • Creating new disks
      • Creating an empty disk
      • Create an empty disk with a large block
    • Disk management
      • Creating a disk snapshot
      • Updating a disk
      • Deleting a disk
      • Deleting a disk snapshot
    • Creating new images
      • Uploading your image
    • Managing images
      • Deleting a disk image
    • Managing the serial console
      • Getting started
      • Connecting to a serial console via SSH
      • Connecting to a serial console via CLI
      • Start your terminal in the Windows SAC
      • Disabling access to the serial console
    • Creating instance groups
      • Creating a fixed-size instance group
      • Creating a fixed-size instance group with a network load balancer
      • Creating an automatically scaled instance group
      • Creating an instance group from Container Optimized Image
    • Getting information about instance groups
      • Getting a list of instance groups
      • Getting information about an instance group
      • Getting a list of instances in a group
    • Managing instance groups
      • Editing an instance group
      • Configuring application health check on the VM
      • Updating a instance group
        • Incremental updates
        • Uninterrupted updates
      • Stopping an instance group
      • Starting an instance group
      • Deleting an instance group
    • Dedicated hosts
      • Creating a VM in a group of dedicated hosts
      • Creating a VM on a dedicated host
  • Yandex Container Optimized Solutions
  • Scenarios
    • Configuring NTP time synchronization
    • Running instance groups with auto scaling
  • Concepts
    • Relationship between resources
    • Virtual machines
      • Overview
      • Platforms
      • vCPU performance levels
      • Graphics accelerators (GPUs)
      • Preemptible VMs
      • Network on a VM
      • Live migration
      • Placement groups
      • Statuses
      • Metadata
    • Disks
      • Overview
      • Disk snapshots
    • Images
    • Instance groups
      • Overview
      • Access
      • Instance template
      • Variables in an instance template
      • Policies
        • Overview
        • Allocation policy
        • Deployment policy
        • Scaling policy
      • Scaling types
      • Auto-healing
      • Updating
        • Overview
        • Allocating instances across zones
        • Deployment algorithm
        • Rules for updating instance groups
      • Statuses
    • Dedicated host
    • Backups
    • Quotas and limits
  • Access management
  • Pricing policy
    • Current pricing policy
    • Archive
      • Before January 1, 2019
      • From January 1 to March 1, 2019
      • From March 1 to May 1, 2019
  • Compute API reference
    • Authentication in the API
    • gRPC
      • Overview
      • DiskPlacementGroupService
      • DiskService
      • DiskTypeService
      • HostGroupService
      • HostTypeService
      • ImageService
      • InstanceService
      • PlacementGroupService
      • SnapshotService
      • ZoneService
      • InstanceGroupService
      • OperationService
    • REST
      • Overview
      • Disk
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • DiskPlacementGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listDisks
        • listOperations
        • update
      • DiskType
        • Overview
        • get
        • list
      • HostGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listHosts
        • listInstances
        • listOperations
        • update
      • HostType
        • Overview
        • get
        • list
      • Image
        • Overview
        • create
        • delete
        • get
        • getLatestByFamily
        • list
        • listOperations
        • update
      • Instance
        • Overview
        • addOneToOneNat
        • attachDisk
        • create
        • delete
        • detachDisk
        • get
        • getSerialPortOutput
        • list
        • listOperations
        • removeOneToOneNat
        • restart
        • start
        • stop
        • update
        • updateMetadata
        • updateNetworkInterface
      • PlacementGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listInstances
        • listOperations
        • update
      • Snapshot
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Zone
        • Overview
        • get
        • list
      • Operation
        • Overview
        • get
      • InstanceGroup
        • Overview
        • createFromYaml
        • update
        • list
        • get
        • delete
        • start
        • stop
        • create
        • listAccessBindings
        • setAccessBindings
        • updateFromYaml
        • listLogRecords
        • listInstances
        • updateAccessBindings
        • listOperations
  • Questions and answers
    • General questions
    • Virtual machines
    • Disks and snapshots
    • Licensing
    • All questions on the same page
  1. Step-by-step instructions
  2. Working on VMs
  3. Working with Yandex.Cloud from inside a VM

Working with Yandex.Cloud from inside a VM

  • Link your service account
    • Linking to an existing VM
    • Linking to a new VM
  • Authenticating from inside a VM

This section describes how to work with Yandex.Cloud from inside a VM via the API or CLI.

To automate operations with Yandex.Cloud from inside a VM, we recommend using service accounts. This is more secure since you don't need to save your OAuth token on a VM and can restrict access rights for service accounts.

Yandex.Cloud provides simplified authentication via the API and CLI from inside a VM for service accounts. To authenticate:

  1. If you don't have a service account, create one and set up its access rights.
  2. Link the service account to a VM.
  3. Authenticate from inside the VM.

Link your service account

Link your service account to an existing or new VM. You can only link one service account.

To link a service account to a VM, you must have permission to use this account. This permission is included in the roles iam.serviceAccounts.user, editor, and higher.

Linking to an existing VM

CLI
API

If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

Update the VM parameters by specifying the service account via the --service-account-name or --service-account-id option:

yc compute instance update my-instance --service-account-name test

Use the update method for the Instance resource. In the serviceAccountId property, specify the ID of the service account.

Linking to a new VM

Management console
CLI
API

In the management console, you can link a service account that's in the same folder as the new VM. If the service account is in a different folder, use the CLI or API.

To link your service account to a VM, specify it during VM creation. You can select an existing service account or create a new one:

image

If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

Create a VM and specify the service account using the --service-account-name or --service-account-id option:

yc compute instance create \
  --name my-instance \
  --network-interface subnet-name=default,nat-ip-version=ipv4 \
  --ssh-key ~/.ssh/id_rsa.pub \
  --service-account-name my-robot

Use the Create method for the Instance resource. In the serviceAccountId property, specify the ID of the service account.

Authenticating from inside a VM

To authenticate from inside a VM on behalf of the linked service account:

CLI
API
  1. Connect to the VM via SSH or RDP.

  2. If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

  3. Create a new profile:

    yc config profile create my-robot-profile
    
  4. Configure your profile to run commands.

    Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.

    1. Specify the cloud in your profile:

      $ yc config set cloud-id <cloud ID>
      

      Or run commands with the --cloud-id parameter.

    2. Specify a folder in the profile:

      $ yc config set folder-id <folder ID>
      

      Or use the --folder-id parameter in your commands.

    All operations in this profile will be performed on behalf of the linked service account. You can change the profile parameters or switch to another profile.

    You can also get an IAM token, for example, to authenticate with the API:

    yc iam create-token
    

    IAM token lifetime in this case will be less than 12 hours. Request an IAM token more often, like once per hour or with every operation. To find out the remaining lifetime of the token, use the API instructions.

  1. Connect to the VM via SSH or RDP.

  2. Get an IAM token from metadata in Google Compute Engine format:

    $ curl -H Metadata-Flavor:Google http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token
      
    {"access_token":"CggVAgAAA...","expires_in":39944,"token_type":"Bearer"}
    

    The IAM token will be returned in the access_token field of the response. The remaining lifetime of the IAM token is specified in the expires_in field.

  3. Specify the received IAM token when accessing Yandex.Cloud resources via the API. Pass the IAM token in the Authorization header in the following format:

    Authorization: Bearer <IAM-TOKEN>
    

Account for your IAM token lifetime or request the token more often, like once per hour or with every operation.

In this article:
  • Link your service account
  • Linking to an existing VM
  • Linking to a new VM
  • Authenticating from inside a VM
Language / Region
Careers
Privacy policy
Terms of use
Brandbook
© 2021 Yandex.Cloud LLC