Creating API keys
This guide will tell you how to create an API key for a service account. The API key is a secret key used for simplified authorization in the Yandex Cloud API.
If you do not have a service account yet, create one and assign roles to it.
To create an API key:
- In the management console
, select the folder the service account belongs to. - At the top of the screen, go to the Service accounts tab.
- Choose a service account and click the row with its name. Create a new service account if needed.
- In the top panel, click
- Enter a description of the key so that you can easily find it in the management console.
- Click Create.
- Save the ID and private key.
Alert
Once you close the dialog, the private key value will be unavailable.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the create API key command:
yc iam api-key create --help
-
Select a service account (for example,
my-robot
):yc iam service-account list
Result:
+----------------------+------------------+-------------------------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-------------------------------+ | aje6o61dvog2******** | my-robot | | | aje9sda1ufvq******** | account_name | account_description | +----------------------+------------------+-------------------------------+
-
Create an API key for the
my-robot
service account and write the response to a file:yc iam api-key create --service-account-name my-robot > api-key.yaml
The response's
secret
property will contain the API key:api_key: id: ajeke74kbp5b******** service_account_id: ajepg0mjt06s******** created_at: "2019-04-09T08:41:27Z" secret: AQVN1HHJReSrfo9jU3aopsXrJyfq_UHs********
To learn how to provide the key to a request, read the guides for the services that support this authorization method.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Add resource parameters to the configuration file:
service_account_id
: Service account ID. This is a required parameter.description
: Key description. This is an optional parameter.pgp_key
: Additional PGP key for encrypting a private key. This is an optional parameter. Specify the public part of the key in Base64 encoding or in thekeybase:keybaseusername
format.
Here is an example of the configuration file structure:
resource "yandex_iam_service_account_api_key" "sa-api-key" { service_account_id = "<service_account_ID>" description = "<key_description>" pgp_key = "<pgp_key>" }
For more information about the resources you can create using Terraform, see the provider documentation
. -
Make sure the configuration files are valid.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console
and this CLI command:yc iam key list --service-account-id <service_account_ID>
-
-
Create an API key using the create REST API method for the ApiKey resource:
export SERVICEACCOUNT_ID=<service_account_ID> export IAM_TOKEN=CggaATEVAgA... curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $IAM_TOKEN" \ -d "{ \"serviceAccountId\": \"$SERVICEACCOUNT_ID\" }" \ https://iam.api.cloud.yandex.net/iam/v1/apiKeys
You can also create an API key using the ApiKeyService/Create gRPC API call.
Examples
Add a description when creating
To make it easier to find an API key without knowing its ID, add a description when creating it:
yc iam api-key create --service-account-name my-robot \
--description "this API-key is for my-robot"
-
Add resource parameters to the configuration file:
service_account_id
: Service account ID. This is a required parameter.description
: Key description. This is an optional parameter.
Example of adding a description when creating a service account API key using Terraformresource "yandex_iam_service_account_api_key" "sa-api-key" { service_account_id = "<service_account_ID>" description = "this API-key is for my-robot" }
For more information about the resources you can create using Terraform, see the provider documentation
. -
Make sure the configuration files are valid.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resources and their configuration using the management console
. -
export SERVICEACCOUNT_ID=<service_account_ID>
export IAM_TOKEN=CggaATEVAgA...
curl -X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $IAM_TOKEN" \
-d "{
\"serviceAccountId\": \"$SERVICEACCOUNT_ID\",
\"description\": \"this API-key is for my-robot\"
}" \
https://iam.api.cloud.yandex.net/iam/v1/apiKeys