Skip to main content
To authenticate as a service account and perform operations on its behalf, use an authorized key pair in the Nebius AI Cloud CLI.

Before you start

  1. Make sure that you (if you are not your tenant’s owner), or the service account that you use on your behalf to manage resources, are in a group that has the admin role within your tenant; for example, the default admins group. You can check this in the Administration → IAM section of the web console.
  2. Install and initialize the Nebius AI Cloud CLI.
  3. Check that your project ID is saved in the Nebius AI Cloud CLI profile configuration: 
    cat ~/.nebius/config.yaml
  4. Get the ID of the service account for which you want to issue the key and save it to an environment variable: 
    export SA_ID=$(nebius iam service-account get-by-name \
  --name <service_account_name> \
  --format json \
  | jq -r ".metadata.id")

Create a key pair

Run the following command: 
nebius iam auth-public-key generate \
  --service-account-id $SA_ID \
  --output ~/.nebius/$SA_ID-credentials.json
The command generates a key pair, uploads the public key to Nebius AI Cloud to create authorized keys for the service account and creates a configuration file for the CLI. See the full reference for the command.

Configure your profile

Create a new CLI profile:
  1. Initialize the Nebius AI Cloud CLI configuration: 
    nebius profile create \
  --endpoint api.nebius.cloud \
  --service-account-file ~/.nebius/$SA_ID-credentials.json \
  --profile <profile_name>
  2. Check that your new profile has been created and set as default: 
    nebius profile list
Now you can run Nebius AI Cloud CLI commands on behalf of the service account. To do this, add --profile <service_account_profile_name> to the commands.