[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for Kubernetes](../index.md) > [Application Load Balancer tools](index.md) > Working with service accounts

# Service account for Application Load Balancer tools in Yandex Managed Service for Kubernetes

{% note tip %}

We recommend using the new [Yandex Cloud Gwin](gwin-index.md) controller instead of an ALB Ingress controller and Gateway API.

{% endnote %}

Managed Service for Kubernetes Application Load Balancer tools, e.g., [ingress controller](ingress-controller/index.md) and [Gateway API](gateway-api/index.md), use a [service account](../../iam/concepts/users/service-accounts.md) to deploy infrastructure. This account requires the following permissions:

{% list tabs %}

- Ingress controller

  | Service | Type of permission required | Minimum required permissions |
  | ----- | ----- | ----- |
  | Application Load Balancer<br/>([roles](../../application-load-balancer/security/index.md)) | Service resource management | `alb.editor` |
  | Virtual Private Cloud<br/>([roles](../../vpc/security/index.md)) | Managing internal or external connectivity based on the load balancer type | `vpc.publicAdmin` (external)<br/>`vpc.privateAdmin` (internal) |
  | Certificate Manager<br/>([roles](../../certificate-manager/security/index.md)) | Obtaining HTTPS load balancer certificates | `certificate-manager.certificates.downloader` |
  | Compute Cloud<br/>([roles](../../compute/security/index.md)) | Getting information about Managed Service for Kubernetes cluster node VMs | `compute.viewer` |

- Gateway API

  | Service | Type of permission required | Minimum required permissions |
  | ----- | ----- | ----- |
  | Application Load Balancer<br/>([roles](../../application-load-balancer/security/index.md)) | Service resource management | `alb.editor` |
  | Virtual Private Cloud<br/>([roles](../../vpc/security/index.md)) | Managing internal or external connectivity based on the load balancer type | `vpc.publicAdmin` (external)<br/>`vpc.privateAdmin` (internal) |
  | Certificate Manager<br/>([roles](../../certificate-manager/security/index.md)) | Managing HTTPS load balancer certificates | `certificate-manager.certificates.admin` |
  | Compute Cloud<br/>([roles](../../compute/security/index.md)) | Getting information about Managed Service for Kubernetes cluster node VMs | `compute.viewer` |
  
{% endlist %}

The service account authenticates using an [authorized key](../../iam/concepts/authorization/key.md). You must specify this key in the `saKeySecretKey` field when deploying a Helm chart with an ingress controller or Gateway API. For example, if you created your authorized key using the [`yc iam key create`](../../iam/operations/iam-token/create-for-sa.md) CLI command and stored it to `sa-key.json`, the Helm chart installation command may look like this:

```bash
helm install \
  --namespace yc-alb \
  --set-file saKeySecretKey=sa-key.json \
  ...
```

The system will store the authorized key as either Secret `yc-alb-ingress-controller-sa-key` or Secret `yc-alb-gateway-api-controller-sa-key` in the namespace specified during Helm chart deployment, e.g., `yc-alb`.