Documentation Index
Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
Use this file to discover all available pages before exploring further.
To authenticate as a service account and perform operations on its behalf, use an authorized key pair.
Prerequisites
Web console
CLI
Terraform
-
Make sure that you, or the service account that you use on your behalf, is in a group that has the
admin role within your tenant; for example, the default admins group. You can check this in the Administration → IAM section of the web console.
-
Create a new service account if needed.
-
Make sure that you, or the service account that you use on your behalf, is in a group that has the
admin role within your tenant; for example, the default admins group. You can check this in the Administration → IAM section of the web console.
-
Install and initialize the Nebius AI Cloud CLI.
-
Check that your project ID is saved in the Nebius AI Cloud CLI profile configuration:
cat ~/.nebius/config.yaml
-
Create a new service account if needed.
-
Get the ID of the service account for which you want to issue the key and save it to an environment variable:
export SA_ID=$(nebius iam service-account get-by-name \
--name <service_account_name> \
--format json \
| jq -r ".metadata.id")
Create a key pair
If you are using the CLI, this step is optional. If you use the nebius iam auth-public-key generate command in the next step, the CLI creates the key pair for you. openssl genrsa -out private.pem 4096 && \
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
public.pem and private.pem key files in your local directory where you run the command.
Upload the public key
Web console
CLI
Terraform
- In the web console, go to
Administration → IAM.
- Open the Service accounts tab.
- Open the page of the required service account.
- Click
Upload authorized key.
- Click
Attach file and then select public.pem.
- (Optional) Set an expiration date.
- Click Upload key.
The key is displayed on the Authorized keys tab.Depending on whether you already created a key pair, run one of the following commands:
-
To upload the public key if you already created a key pair:
nebius iam auth-public-key create \
--account-service-account-id $SA_ID \
--data "$(cat public.pem)"
-
To create a new key pair, upload the public key and create a local CLI configuration file in one step:
nebius iam auth-public-key generate \
--service-account-id $SA_ID \
--output ~/.nebius/$SA_ID-credentials.json
After you complete either option, you can find the authorized key in the web console. In the sidebar, go to Administration → IAM → Service accounts, and select the service account for which you created the authorized key. To upload an authorized key with Terraform, the provider must already be authenticated. You cannot upload the first authorized key for a service account using Terraform. If you already have an authorized key, for example, one created with the CLI, proceed to update the configuration to use your existing authorized key with Terraform.
-
Inside the working directory, create a configuration file, for example
main.tf:
resource "nebius_iam_v1_auth_public_key" "sa_authorized_key" {
name = "sa_authorized_key"
parent_id = "<project_ID>"
account = {
service_account = {
id = "<service_account_ID>"
}
}
data = file("${path.module}/public.pem")
}
parent_id: Project ID.account.service_account.id: ID of the service account. To copy the service account from the web console, go to Administration → IAM → Service accounts, next to the ID, click 
.data: Contents of the public.pem file that you created in the previous step. In the example above, Terraform reads the contents of public.pem with the file() function. You can also use trimspace(file(...)) to remove trailing whitespace.
-
Check that the configuration is correct:
-
Apply the changes:
For all available arguments and attributes, see the full reference.Update the configuration
Update your configuration to use the authorized key you created:
If you used the web console to upload the public key, you do not need to update any additional configuration.
Create a new CLI profile:
-
Initialize the Nebius AI Cloud CLI configuration:
nebius profile create \
--endpoint api.nebius.cloud \
--service-account-file ~/.nebius/$SA_ID-credentials.json \
--profile <profile_name>
-
Check that your new profile has been created and set as default:
Now you can run Nebius AI Cloud CLI commands on behalf of the service account. To do this, add --profile <service_account_profile_name> to the commands. Configure the Nebius AI Cloud provider for Terraform to use an authorized key. Inside your Terraform working directory, add the service_account block to the provider configuration, for example in providers.tf:provider "nebius" {
service_account = {
account_id = "<service_account_ID>"
public_key_id = "<authorized_key_ID>"
private_key_file = "<path_to_private_key>"
}
}
public_key_id: The ID of the authorized key that you uploaded. To copy the public key ID:
- In the web console, go to Administration → IAM → Service accounts, and select the service account.
- Click Authorized keys, and then click next to the ID of the public key you uploaded.
private_key_file: The path to the private.pem file you created in the previous step.
You can also pass these values through environment variables:provider "nebius" {
service_account = {
account_id_env = "NB_SA_ID"
public_key_id_env = "NB_AUTHKEY_ID"
private_key_file_env = "NB_AUTHKEY_PRIV_PATH"
}
}
export NB_SA_ID=<service_account_ID>
export NB_AUTHKEY_ID=<authorized_key_ID>
export NB_AUTHKEY_PRIV_PATH=<path_to_private_key>
