> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.
# How to use access keys to authenticate in Nebius AI Cloud as a service account
*Access keys* in Nebius AI Cloud are used to authenticate [service accounts](../overview#accounts-and-members) in AWS-compatible services, such as Object Storage. To work with such services using their CLIs (e.g., AWS CLI), create an access key and add it to the CLI configuration. The key ID is included in your requests and can be viewed. The secret key is used to sign the request parameters and is not included in the request.
Access keys can be issued without an expiration date.
Do not confuse [access tokens](../authorization/access-tokens) with access keys. Access tokens are used for authentication in Nebius AI Cloud interfaces.
## Before you start
1. Make sure that you, or the service account that you use on your behalf, is in a [group](/iam/authorization/groups) that has the `admin` role within your tenant; for example, the default `admins` group. You can check this in the [Administration → IAM](https://console.nebius.com/iam) section of the web console.
2. Install and initialize the [Nebius AI Cloud CLI](../../cli/quickstart).
3. Check that your project ID is saved in the Nebius AI Cloud CLI profile configuration:
```bash theme={null}
cat ~/.nebius/config.yaml
```
4. Install the jq to extract IDs and tokens from JSON data returned by the Nebius AI Cloud CLI:
```bash Ubuntu theme={null}
sudo apt-get install jq
```
```bash macOS theme={null}
brew install jq
```
5. [Create a service account](/iam/service-accounts/manage#create-a-service-account), if you don't have one already.
6. Get the ID of the service account for which you want to issue the key and save it to an environment variable:
```bash theme={null}
export SA_ID=$(nebius iam service-account get-by-name \
--name \
--format json \
| jq -r ".metadata.id")
```
## Create a key pair
Create an access key pair and save its ID to an environment variable:
```bash theme={null}
export ACCESS_KEY_ID=$(nebius iam v2 access-key create \
--account-service-account-id $SA_ID \
--expires-at \
--description 'AWS CLI key' \
--format json | jq -r '.metadata.id')
```
Where `--expires at` allows you to create a temporary access key. To set the key's expiration date, use the [ISO 8601](https://www.iso.org/iso-8601-date-and-time-format.html) format. Here's how to store an environment variable with a one-year expiration date:
```bash Ubuntu theme={null}
EXPIRES_AT=$(date -d "+1 year" "+%Y-%m-%dT%H:%M:%SZ")
```
```bash macOS theme={null}
EXPIRES_AT=$(date -j -v+1y "+%Y-%m-%dT%H:%M:%SZ")
```
Then pass the variable as `--expires-at $EXPIRES_AT`.
## Configure your AWS CLI profile
In this example, you will configure the AWS CLI to work with Object Storage on behalf of the service account.
1. Get the access key pair AWS ID and save it to an environment variable:
```bash theme={null}
export ACCESS_KEY_AWS_ID=$(nebius iam v2 access-key get \
--id $ACCESS_KEY_ID \
--format json | jq -r '.status.aws_access_key_id')
```
2. Get the secret key and save it to an environment variable:
```bash theme={null}
export SECRET_ACCESS_KEY=$(nebius iam v2 access-key get \
--id $ACCESS_KEY_ID \
--format json | jq -r '.status.secret')
```
3. Add the key to the AWS CLI configuration:
```bash theme={null}
aws configure set aws_access_key_id $ACCESS_KEY_AWS_ID
aws configure set aws_secret_access_key $SECRET_ACCESS_KEY
```
4. Depending on your project [region](../../overview/regions), add the Nebius AI Cloud region ID and the Object Storage endpoint URL to the AWS CLI configuration:
```bash theme={null}
aws configure set region
aws configure endpoint_url https://storage..nebius.cloud
```
For example, run the following commands for a project in eu-north1:
```bash theme={null}
aws configure set region eu-north1
aws configure set endpoint_url https://storage.eu-north1.nebius.cloud
```