[Yandex Cloud documentation](../../index.md) > [Yandex Serverless Containers](../index.md) > [Step-by-step guides](index.md) > Managing a container > Providing Yandex Lockbox secrets

# Providing Yandex Lockbox secrets to a container

{% note info %}

This feature is in the [Preview](../../overview/concepts/launch-stages.md) stage.

{% endnote %}

[Yandex Lockbox](../../lockbox/index.md) is designed to store secrets. You can provide a Yandex Lockbox secret to a container via an [environment variable](../concepts/runtime.md#environment-variables).

For a container to get access to a [secret](../../lockbox/concepts/secret.md), edit its settings to specify a [service account](../../iam/concepts/users/service-accounts.md) with the following roles assigned:
* `lockbox.payloadViewer` for the secret (learn how to assign access permissions for a secret [here](../../lockbox/operations/secret-access.md)).
* `kms.keys.encrypterDecrypter` for the encryption key if the secret was created using a Yandex Key Management Service key (learn how to assign access permissions for an encryption key [here](../../kms/operations/key-access.md)).

A Lockbox secret provided to a container is cached in Serverless Containers. After the service account loses access to the secret, the container may retain it for up to five minutes.

Providing Yandex Lockbox secrets creates a new container revision. You cannot provide secrets to an existing revision.

{% list tabs group=instructions %}

- Management console {#console}

    1. In the [management console](https://console.yandex.cloud), select the folder with your container.
    1. Navigate to **Serverless Containers**.
    1. Select a container you want to provide a secret to.
    1. Navigate to the **Editor** tab.
    1. In the window that opens, under **Image settings**, specify the following in the **Lockbox secrets** field:
        * Name of the environment variable to store the secret.
        * Secret ID.
        * Secret version ID.
        * Key of a key-value pair in the secret version.
    1. Click **Add**.

        You can provide multiple secrets to a container. To do this, click **Add**.

    1. Click **Create revision**. This will create a new container revision with the specified secrets.
    
- CLI {#cli}

    If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

    The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

    To provide Yandex Lockbox secrets to a container, run this command:

    {% note warning %}

    If secrets were already provided to the previous revision, they will be overwritten.

    {% endnote %}

    ```bash
    yc serverless container revision deploy \
       --container-name test \
       --image cr.yandex/<registry_ID>/repository:tag \
       --cores 1 \
       --memory 1GB \
       --service-account-id <service_account_ID> \
       --secret environment-variable=<environment_variable_name>,id=<secret_ID>,version-id=<secret_version_ID>,key=<secret_key>
    ```

    Where:

    * `--container-name`: Container name.
    * `--image`: Docker image URL.
    * `--cores`: Number of cores available to the container.
    * `--memory`: Required memory. The default value is 128 MB.
    * `--service-account-id`: ID of the service account with the `lockbox.payloadViewer` role.
    * `--secret`:
        * `environment-variable`: Name of the environment variable that will store the secret.
        * `id`: Secret ID.
        * `version-id`: Secret version ID.
        * `key`: Key of a key-value pairs in the secret version.
      
      You can provide multiple secrets to a container. To do this, specify `--secret` as many times as needed.

- Terraform {#tf}

    If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
    
    
    To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../terraform/authentication.md) using the appropriate method.

    1. Open the Terraform configuration file and add the `secrets` section to the function description:

        ```hcl
        resource "yandex_serverless_container" "test-container" {
          name               = "<container_name>"
          memory             = <memory_size>
          service_account_id = "<service_account_ID>"
          secrets {
            id                   = "<secret_ID>"
            version_id           = "<secret_version_ID>"
            key                  = "<secret_1_key>"
            environment_variable = "<environment_variable_1_name>"
          }
          secrets {
            id                   = "<secret_ID>"
            version_id           = "<secret_version_ID>"
            key                  = "<secret_2_key>"
            environment_variable = "<environment_variable_2_name>"
          }
          image {
            url = "<Docker_image_URL>"
          }
        }
        ```

        Where:
          * `secrets`: Section with secret configuration. It contains the following settings:
            * `id`: Secret ID. This is a required setting.
            * `version_id`: Secret version ID. This is a required setting.
            * `key`: Key of a secret version’s key-value pair that will be stored in the environment variable. This is a required setting.
            * `environment_variable`: Name of the environment variable that will store the secret. This is a required setting.
        
        For more information about `yandex_serverless_container` properties, see [this provider guide](../../terraform/resources/serverless_container.md).
 
    1. Apply the changes:

        1. In the terminal, navigate to the configuration file directory.
        1. Make sure the configuration is correct using this command:
        
           ```bash
           terraform validate
           ```
        
           If the configuration is valid, you will get this message:
        
           ```bash
           Success! The configuration is valid.
           ```
        
        1. Run this command:
        
           ```bash
           terraform plan
           ```
        
           You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
        1. Apply the configuration changes:
        
           ```bash
           terraform apply
           ```
        
        1. Type `yes` and press **Enter** to confirm the changes.

    You can check the function update and its settings in the [management console](https://console.yandex.cloud).

- API {#api}

  To provide a Yandex Lockbox secret to a container, use the [deployRevision](../containers/api-ref/Container/deployRevision.md) REST API method for the [Container](../containers/api-ref/Container/index.md) resource or the [ContainerService/DeployRevision](../containers/api-ref/grpc/Container/deployRevision.md) gRPC API call.

{% endlist %}