Get started
Yandex Cloud Functions

Transmitting Yandex Lockbox secrets to a function

Written by

    Note

    This feature is in the Preview stage.

    Yandex Lockbox is a service for storing secrets. You can transmit a Yandex Lockbox secret to a function in the environment variable.

    A function can access the secret when a service account with the lockbox.payloadViewer role is specified in the function's parameters. How to create a service account.

    A new version of a function is created when secrets are transmitted. You can't transmit secrets to an existing version.

    1. In the management console, select the folder containing your function.
    2. Open Cloud Functions.
    3. Select a function where you want to transmit a Yandex Lockbox secret to.
    4. Go to the Editor tab.
    5. Under Parameters, specify:
      • In the Service account field, the service account with the lockbox.payloadViewer role.
      • In the Yandex Lockbox secret field:
        • The name of the environment variable where the secret will be kept.
        • Secret ID.
        • Secret version ID.
        • Non-secret key ID.
    6. Click Add. You can transmit several secrets to a function.
    7. Click Create version. A new version of the function with the specified secrets is created.

    If you don't have the Yandex Cloud command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    To transmit a Yandex Lockbox secret to a function, run the command:

    Warning

    If the secrets were already passed to the previous function version, they are overwritten.

    
yc serverless function version create \
  --function-name=test \
  --runtime nodejs16 \
  --entrypoint index.main \
  --memory 128m \
  --execution-timeout 5s \
  --source-version-id vfdsde*************** \
  --service-account-id bfbtfc************** \
  --secret environment-variable=KEY,id=fc3q4a**************,version-id=fc3gvv**************,key=key-id

    Where:

    • --function-name: The function name.
    • --runtime: The runtime environment.
    • --entrypoint: The entry point specified in the . format.
    • --memory: The amount of RAM.
    • --execution-timeout: The maximum function execution time before the timeout is reached.
    • --source-version-id: ID of the function version to copy the code of.
    • --service-account-id: ID of a service account with the lockbox.payloadViewer role.
    • --secret:
      • environment-variable: Name of the environment variable where the secret will be kept.
      • id: Secret ID.
      • version-id: Secret version ID.
      • key: Non-secret key ID.

    You can transmit a Yandex Lockbox secret to a function using the createVersion API method.