Creating static access keys
These are instructions for how to create static access keys for a service account.
If you don't have a service account yet, create one and assign it roles.
To create a static access key:
-
In the management console, select the folder the service account belongs to.
-
Go to the Service accounts tab.
-
Choose a service account and click the line with its name.
-
Click Create new key in the top panel.
-
Select Create static access key.
-
Specify the key description and click Create.
-
Save the ID and private key.
Alert
After the dialog is closed, the private key value will be unavailable.
If you don't have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the create static access key command:
yc iam access-key create --help
-
Select a service account (for example,
my-robot
):yc iam service-account list
Result:
+----------------------+------------------+-------------------------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-------------------------------+ | aje6o61dvog2h6g9a33s | my-robot | | | aje9sda1ufvqcmfksd3f | blabla | bla bla bla is my description | +----------------------+------------------+-------------------------------+
-
Create an access key for the
my-robot
service account:yc iam access-key create --service-account-name my-robot
Result:
access_key: id: aje6t3vsbj8lp9r4vk2u service_account_id: ajepg0mjt06siuj65usm created_at: "2018-11-22T14:37:51Z" key_id: 0n8X6WY6S24N7OjXQ0YQ secret: JyTRFdqw8t1kh2-OJNz4JX5ZTz9Dj1rI9hxtzMP1
-
Save the ID
key_id
andsecret
key. You will not be able to get the key value again.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of resources that you want to create:
resource "yandex_iam_service_account_static_access_key" "sa-static-key" { service_account_id = "<service_account_ID>" description = "<key_description>" pgp_key = "keybase:keybaseusername" }
Where:
service_account_id
= service account ID. Required parameter.-description
: Key description. Optional.pgp_key
: An additional PGP key for encrypting a private key. Optional. A public part of the key in base64 encoding or in thekeybase:keybaseusername
form is specified.
For more information about the
yandex_iam_service_account_static_access_key
resource parameters in Terraform, see the provider documentation. -
Make sure that the configuration files are valid.
-
In the command line, go to the directory where you created the configuration file.
-
Run the check using the command:
terraform plan
If the configuration is described correctly, the terminal displays a list of created resources and their parameters. If the configuration contains errors, Terraform will point them out.
-
-
Deploy the cloud resources.
-
If the configuration doesn't contain any errors, run the command:
terraform apply
-
Confirm the static access key creation by typing
yes
in the terminal and pressing Enter.If any errors occur when creating the key, Terraform will indicate them.
If the key is successfully created, Terraform will write it into its configuration, but will not show it to the user. The terminal will display only the ID of the created key.You can verify that the key of the service account is there in the management console or using the CLI command:
yc iam access-key list --service-account-name=<service_account_name>
-
Examples
Add a description when creating
Add a description when creating an access key.
yc iam access-key create --service-account-name my-robot \
--description "this key is for my bucket"
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"serviceAccountId": "aje6o61dvog2h6g9a33s",
"description": "this key is for my bucket"
}' \
https://iam.api.cloud.yandex.net/iam/aws-compatibility/v1/accessKeys
resource "yandex_iam_service_account_static_access_key" "sa-static-key" {
service_account_id = "aje6o61dvog2h6g9a33s"
description = "this key is for my bucket"
pgp_key = "BIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+x....."
}