Skip to main content
Access keys in Nebius AI Cloud are used to authenticate service accounts in AWS-compatible services, such as Object Storage. To work with such services using their CLIs (e.g., AWS CLI), create an access key and add it to the CLI configuration. The key ID is included in your requests and can be viewed. The secret key is used to sign the request parameters and is not included in the request. Unlike authorized keys, access keys can be issued without an expiration date. Do not confuse access tokens with access keys. Access tokens are used for authentication in Nebius AI Cloud interfaces.

Before you start

  1. Make sure that you, or the service account that you use on your behalf, is in a group that has the admin role within your tenant; for example, the default admins group. You can check this in the Administration → IAM section of the web console.
  2. Install and initialize the Nebius AI Cloud CLI.
  3. Check that your project ID is saved in the Nebius AI Cloud CLI profile configuration: 
    cat ~/.nebius/config.yaml
  4. Install the jq to extract IDs and tokens from JSON data returned by the Nebius AI Cloud CLI: 
    sudo apt-get install jq
  5. Create a service account, if you don’t have one already.
  6. Get the ID of the service account for which you want to issue the key and save it to an environment variable: 
    export SA_ID=$(nebius iam service-account get-by-name \
  --name <service_account_name> \
  --format json \
  | jq -r ".metadata.id")

Create a key pair

Create an access key pair and save its ID to an environment variable: 
export ACCESS_KEY_ID=$(nebius iam v2 access-key create \
  --account-service-account-id $SA_ID \
  --expires-at <optional_expiration_date> \
  --description 'AWS CLI key' \
  --format json | jq -r '.metadata.id')
Where --expires at allows you to create a temporary access key. To set the key’s expiration date, use the ISO 8601 format. Here’s how to store an environment variable with a one-year expiration date: 
EXPIRES_AT=$(date -d "+1 year" "+%Y-%m-%dT%H:%M:%SZ")
Then pass the variable as --expires-at $EXPIRES_AT.

Configure your AWS CLI profile

In this example, you will configure the AWS CLI to work with Object Storage on behalf of the service account.
  1. Get the access key pair AWS ID and save it to an environment variable: 
    export ACCESS_KEY_AWS_ID=$(nebius iam v2 access-key get \
  --id $ACCESS_KEY_ID \
  --format json | jq -r '.status.aws_access_key_id')
  2. Get the secret key and save it to an environment variable: 
    export SECRET_ACCESS_KEY=$(nebius iam v2 access-key get \
  --id $ACCESS_KEY_ID \
  --format json | jq -r '.status.secret')
  3. Add the key to the AWS CLI configuration: 
    aws configure set aws_access_key_id $ACCESS_KEY_AWS_ID
aws configure set aws_secret_access_key $SECRET_ACCESS_KEY
  4. Depending on your project region, add the Nebius AI Cloud region ID and the Object Storage endpoint URL to the AWS CLI configuration: 
    aws configure set region <region_ID>
aws configure endpoint_url https://storage.<region_ID>.nebius.cloud
    For example, run the following commands for a project in eu-north1: 
    aws configure set region eu-north1
aws configure set endpoint_url https://storage.eu-north1.nebius.cloud