[Yandex Cloud documentation](../../../index.md) > [Yandex Identity and Access Management](../../index.md) > [Tutorials](../index.md) > [Storing a static access key in a Yandex Lockbox secret](index.md) > CLI

# Using a Yandex Lockbox secret to store a static access key via the CLI

To [use a static access key](index.md) saved in a Yandex Lockbox secret via the CLI:

1. [Set up your environment](#prepare).
1. [Save the static access key to a Yandex Lockbox secret](#store-key-into-secret).
1. [Use the key from the Yandex Lockbox secret for your operations with the service](#use-key).

If you no longer need the resources you created, [delete them](#clear-out).


## Getting started {#before-you-begin}

Sign up for Yandex Cloud and create a [billing account](../../../billing/concepts/billing-account.md):
1. Navigate to the [management console](https://console.yandex.cloud) and log in to Yandex Cloud or create a new account.
1. On the **[Yandex Cloud Billing](https://center.yandex.cloud/billing/accounts)** page, make sure you have a billing account linked and it has the `ACTIVE` or `TRIAL_ACTIVE` [status](../../../billing/concepts/billing-account-statuses.md). If you do not have a billing account, [create one](../../../billing/quickstart/index.md) and [link](../../../billing/operations/pin-cloud.md) a cloud to it.

If you have an active billing account, you can create or select a [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) for your infrastructure on the [cloud page](https://console.yandex.cloud/cloud).

[Learn more about clouds and folders here](../../../resource-manager/concepts/resources-hierarchy.md).


### Required paid resources {#paid-resources}

The infrastructure support costs include:

* Fee for storing one version of the Yandex Lockbox secret (see [Yandex Lockbox pricing](../../../lockbox/pricing.md#secrets)).
* Fee for data storage in Object Storage, data operations, and outgoing traffic (you will not be charged unless there is data in the bucket). See [Object Storage pricing](../../../storage/pricing.md#rules).


## Set up your environment {#prepare}

1. If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

    The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

1. [Install](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) the AWS CLI.
   
   You do not need to configure the utility at this step. The required parameters, such as IDs and access keys, will be described and used in commands and environment variables further on in this guide.


## Save the static access key to the Yandex Lockbox secret {#store-key-into-secret}

{% list tabs group=instructions %}

- Yandex Cloud CLI {#cli}

  1. Create a service account, e.g., `storage-bucket-sa`, that you will use to perform operations in Object Storage:

      ```bash
      yc iam service-account create storage-bucket-sa
      ```

      Result:

      ```text
      done (1s)
      id: ajeplujf759j********
      folder_id: b1gt6g8ht345********
      created_at: "2024-05-07T19:18:37.244159066Z"
      name: storage-bucket-sa
      ```

      Save the service account `id`, as you will need it to assign roles to the service account.

      For more information about the `yc iam service-account create` command, see the [CLI reference](../../../cli/cli-ref/iam/cli-ref/service-account/create.md).

  1. Assign the `storage.editor` [role](../../../storage/security/index.md#storage-editor) for the folder to the service account you created.

      ```bash
      yc resource-manager folder add-access-binding <folder_name_or_ID> \
        --role storage.editor \
        --subject serviceAccount:<service_account_ID>
      ```

      Where:

      * `<folder_name_or_ID>`: Name or [ID](../../../resource-manager/operations/folder/get-id.md) of the folder where you created the service account.
      * `<service_account_ID>`: Service account ID you saved in the previous step.

      Result:

      ```yml
      done (2s)
      effective_deltas:
        - action: ADD
          access_binding:
            role_id: storage.editor
            subject:
              id: ajeplujf759j********
              type: serviceAccount
      ```

      For more information about the `yc resource-manager folder add-access-binding` command, see the [CLI reference](../../../cli/cli-ref/resource-manager/cli-ref/folder/add-access-binding.md).

  1. Similarly, assign the `lockbox.payloadViewer` [role](../../../lockbox/security/index.md#lockbox-payloadViewer) for the folder to the service account:

      ```bash
      yc resource-manager folder add-access-binding <folder_name_or_ID> \
        --role lockbox.payloadViewer \
        --subject serviceAccount:<service_account_ID>
      ```

  1. Create a static access key for the service account. To avoid displaying the key value on the screen, it will be saved to the `STATIC_KEY` variable:

      ```bash
      STATIC_KEY=$(yc iam access-key create --service-account-name storage-bucket-sa)
      ```

      For more information about the `yc iam access-key create` command, see the [CLI reference](../../../cli/cli-ref/iam/cli-ref/access-key/create.md).

  1. Save the [key ID](../../concepts/authorization/access-key.md#key-id) and [secret key](../../concepts/authorization/access-key.md#private-key) values to the separate `KEY_ID` and `KEY_VALUE` variables:

      ```bash
      KEY_ID=$(echo | awk '{if (match($0, "key_id: ")) {print substr($0, RSTART + 8, 25)}}' <<< "$STATIC_KEY") \
        && KEY_VALUE=$(echo | awk '{if (match($0, "secret: ")) {print substr($0, RSTART + 8, 40)}}' <<< "$STATIC_KEY")
      ```

  1. Create a Yandex Lockbox secret named `static-key` containing the new static access key:

      ```bash
      yc lockbox secret create \
        --name static-key \
        --payload "[{'key': $KEY_ID, 'text_value': $KEY_VALUE}]" \
        --cloud-id <cloud_ID> \
        --folder-id <folder_ID> \
        --deletion-protection
      ```

      Where:

      * `--cloud-id`: [ID](../../../resource-manager/operations/cloud/get-id.md) of the cloud where you created the service account.
      * `--folder-id`: ID of the folder where you created the service account.
      * `--deletion-protection`: Secret deletion protection. You cannot delete a secret with this option enabled. This is an optional setting.

      Result:

      ```yml
      done (1s)
      id: e6qk0c62b4ep********
      folder_id: b1gt6g8ht345********
      created_at: "2024-05-07T20:05:51.569Z"
      name: static-key
      status: ACTIVE
      current_version:
        id: e6qrsj2hi8ug********
        secret_id: e6qk0c62b4ep********
        created_at: "2024-05-07T20:05:51.569Z"
        status: ACTIVE
        payload_entry_keys:
          - YCAJEO4w80Zf5DERM********
      deletion_protection: true
      ```

      For more information about the `yc lockbox secret create` command, see the [CLI reference](../../../cli/cli-ref/lockbox/cli-ref/secret/create.md).

{% endlist %}

The service account's static access key is now securely held in the Yandex Lockbox secret.


## Use the key from the Yandex Lockbox secret for your operations with the service {#use-key}

The example below is for MacOS and Linux. To run it on Windows, [check the details on working with Bash in Microsoft Windows](../../../overview/concepts/console-syntax-guide.md).

1. Get the static access key saved in the `static-key` secret. To avoid displaying the key value on the screen, it will be saved to the `SECRET` variable:

    {% list tabs group=instructions %}

    - Yandex Cloud CLI {#cli}

      ```bash
      SECRET=$(yc lockbox payload get <secret_name_or_ID>)
      ```
      Use either the `--id` or `--name` parameter.

      For more information about the `yc lockbox payload get` command, see the [CLI reference](../../../cli/cli-ref/lockbox/cli-ref/payload/get.md).

    {% endlist %}

1. Save the key ID, secret key, and placement region to the AWS CLI environment variables:

    ```bash
    export AWS_ACCESS_KEY_ID=$(echo | awk '{if (match($0, "key: ")) {print substr($0, RSTART + 5, 25)}}' <<< "$SECRET") \
      && export AWS_SECRET_ACCESS_KEY=$(echo | awk '{if (match($0, "text_value: ")) {print substr($0, RSTART + 12, 40)}}' <<< "$SECRET") \
      && export AWS_DEFAULT_REGION="ru-central1"
    ```

    The AWS CLI will use the environment variables you created for authentication when performing operations with the service resources.

1. Create a bucket in Object Storage, specifying a unique [bucket name](../../../storage/concepts/bucket.md#naming) in the command:

    {% list tabs group=instructions %}
    
    - AWS CLI {#aws-cli}
    
      ```bash
      aws --endpoint-url=https://storage.yandexcloud.net \
        s3 mb s3://<bucket_name>
      ```
    
      Result:
    
      ```bash
      make_bucket: my-first-bucket
      ```
    
    {% endlist %}
    
    This will create a new bucket in Object Storage. When creating a bucket, a static access key is used obtained from the Yandex Lockbox secret and saved in environment variables.
    
    You can also include the key ID, secret key, and placement region values directly in each AWS CLI command:

    {% list tabs group=instructions %}

    - AWS CLI {#aws-cli}

      ```bash
      AWS_ACCESS_KEY_ID=$(echo | awk '{if (match($0, "key: ")) {print substr($0, RSTART + 5, 25)}}' <<< "$SECRET") \
        AWS_SECRET_ACCESS_KEY=$(echo | awk '{if (match($0, "text_value: ")) {print substr($0, RSTART + 12, 40)}}' <<< "$SECRET") \
        AWS_DEFAULT_REGION="ru-central1" \
        aws --endpoint-url=https://storage.yandexcloud.net \
        s3 mb s3://<bucket_name>
      ```

      Result:

      ```bash
      make_bucket: my-first-bucket
      ```

    {% endlist %}


## How to delete the resources you created {#clear-out}

To stop using the resources you created:
1. [Delete](../../../lockbox/operations/secret-delete.md) the secret.
1. [Delete](../../../storage/operations/buckets/delete.md) the bucket.

#### See also {#see-also}

* [Using a Yandex Lockbox secret to store a static access key using Terraform](terraform.md)