Get started
Yandex Lockbox

Getting started

Written by

Create your first secret and get its content.

Create a secret

A secret is a set of versions that store your data. A version contains sets of keys and values:

  • A key is a non-secret name that identifies a value.
  • The value is your secret data.

Versions can't be changed. Whenever you need to change the number of key-value pairs or their content, you must create a new version.

To create a secret:

  1. In management console, select the folder to create a secret in.

  2. In the list of services, select Lockbox.

  3. Click Create secret.

  4. In the Name field, enter a name for the secret.

  5. (optional) In the KMS key field, specify an existing key or create a new key.

    The specified KMS key is used to encrypt your secret. If you omit the key, the secret is encrypted with a special system key.

    Tip

    By using your own KMS key you can take full advantage of Yandex Key Management Service.

  6. Under Version:

    • In the Key field, enter a non-secret ID.
    • In the Value field, enter the confidential data you want to store.
    • Click Add value.
    • (optional) Repeat the steps to add more data.

  7. Click Save.

Get the content of the secret

Roles required to get a secret

If you specified your KMS key when creating a secret, assign for it the role kms.keys.encrypterDecrypter: it's needed to encrypt and decrypt the secret.

Get the content of the secret

To get the content of the secret, access it using the API. If you make a request without specifying a version, the content of the current (latest) version is returned.

You can use this logic in scripts, services, and applications where you need to use the content of your secret.

To get the content of the secret:

  1. Get an IAM token required for authentication and save it to the variable:

    export IAM_TOKEN=`yc iam create-token`

    You can also get an IAM token for your service account from inside the VM that the token is linked to. To do this, send a request to the metadata service. An example with the jq utility:

    export IAM_TOKEN=`curl -H Metadata-Flavor:Google http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token | jq -r .access_token`

  2. Run the request:

    curl -X GET -H "Authorization: Bearer ${IAM_TOKEN}" \
https://payload.lockbox.api.cloud.yandex.net/lockbox/v1/secrets/<ID of the secret>/payload
In this article: