[Yandex Cloud documentation](../../index.md) > [Yandex Lockbox](../index.md) > [Step-by-step guides](index.md) > Configuring access to a secret

# Configuring access to a secret

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder the secret belongs to.
  1. Navigate to **Lockbox**.
  1. Click the name of the secret you need.
  1. On the left-hand panel, select ![image](../../_assets/console-icons/persons.svg) **Access bindings** and click **Assign roles**.
  1. In the Who to grant access to field of the window that opens, select a group, user, or [service account](../../iam/concepts/users/service-accounts.md) to provide with access to the secret.
  1. Click ![image](../../_assets/console-icons/plus.svg) **Add role** and select the required [roles](../security/index.md#roles-list).
  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. Get the secret ID (the `ID` column in the command output):
     
     ```bash
     yc lockbox secret list
     ```
     
     Result:
     
     ```bash
     +----------------------+-------------+------------+---------------------+----------------------+--------+
     |          ID          |    NAME     | KMS KEY ID |     CREATED AT      |  CURRENT VERSION ID  | STATUS |
     +----------------------+-------------+------------+---------------------+----------------------+--------+
     | e6qetpqfe8vvag9h7jkr | test-secret |            | 2023-12-06 15:12:13 | e6qdnt9t2qsdggusve4g | ACTIVE |
     +----------------------+-------------+------------+---------------------+----------------------+--------+
     ```

  1. To assign a role for a secret:

      * To a user:

        ```bash
        yc lockbox secret add-access-binding \
          --id <secret_ID> \
          --user-account-id <user_ID> \
          --role <role>
        ```

        Where:
        * `--id`: Secret ID.
        * `--user-account-id`: [User ID](../../organization/operations/users-get.md).
        * `--role`: [Role](../security/index.md#roles-list) to assign.

      * To a [service account](../../iam/concepts/users/service-accounts.md):

        ```bash
        yc lockbox secret add-access-binding \
          --id <secret_ID> \
          --service-account-id <service_account_ID> \
          --role <role>
        ```

        Where:
        * `--id`: Secret ID.
        * `--service-account-id`: [Service account ID](../../iam/operations/sa/get-id.md).
        * `--role`: [Role](../security/index.md#roles-list) to assign.

- Terraform {#tf}

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

  1. Describe access permissions for the secret in the Terraform configuration file:

      ```hcl
      resource "yandex_lockbox_secret_iam_member" "secret-viewer" {
        secret_id = "<secret_ID>"
        role      = "<role>"
        member    = "<subject_type>:<subject_ID>"
      }
      ```

      Where:

      * `secret_id`: Secret ID.
      * `role`: [Role](../security/index.md#roles-list) to assign.
      * `member`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to. Specify it as `userAccount:<user_ID>` or `serviceAccount:<service_account_ID>`.

      For more information about the `yandex_lockbox_secret_iam_member` properties in Terraform, see [this provider guide](../../terraform/resources/lockbox_secret_iam_member.md).

  1. Create the resources

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.
      
      Terraform will create all the required resources. You can check the new resources and their settings using the [management console](https://console.yandex.cloud) or this [CLI](../../cli/quickstart.md) command:

      ```bash
      yc lockbox secret list-access-binding <secret_ID>
      ```

- API {#api}

  To configure access to a secret, use the [setAccessBindings](../api-ref/Secret/setAccessBindings.md) REST API method for the [Secret](../api-ref/Secret/index.md) resource or the [SecretService/SetAccessBindings](../api-ref/grpc/Secret/setAccessBindings.md) gRPC API call.

{% endlist %}

{% note warning %}

If you [assign](../../iam/operations/roles/grant.md) a group, user, or service account a role for a [folder](../../resource-manager/concepts/resources-hierarchy.md#folder) or [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud) where the secret is stored, all permissions of this role will also apply to the secret.

For more information, see [How access management works](../../iam/concepts/access-control/index.md#inheritance).

{% endnote %}

## Useful links {#see-also}

* [Secrets in Yandex Lockbox](../concepts/secret.md)
* [How access management works in Yandex Cloud](../../iam/concepts/access-control/index.md)
* [Access management in Yandex Lockbox](../security/index.md)