> ## Documentation Index > Fetch the complete documentation index at: https://docs.nebius.com/llms.txt > Use this file to discover all available pages before exploring further. # How to use authorized keys To authenticate as a service account and perform operations on its behalf, use an *authorized key pair*. ## Prerequisites 1. Make sure that you, or the service account that you use on your behalf, is in a [group](/iam/authorization/groups) that has the `admin` role within your tenant; for example, the default `admins` group. You can check this in the [Administration → IAM](https://console.nebius.com/iam) section of the web console. 2. [Create a new service account](/iam/service-accounts/manage#create-a-service-account) if needed. 1. Make sure that you, or the service account that you use on your behalf, is in a [group](/iam/authorization/groups) that has the `admin` role within your tenant; for example, the default `admins` group. You can check this in the [Administration → IAM](https://console.nebius.com/iam) section of the web console. 2. Install and initialize the [Nebius AI Cloud CLI](../../cli/quickstart). 3. Check that your project ID is saved in the Nebius AI Cloud CLI profile configuration: ```bash theme={null} cat ~/.nebius/config.yaml ``` 4. [Create a new service account](/iam/service-accounts/manage#cli-2) if needed. 5. Get the ID of the service account for which you want to issue the key and save it to an environment variable: ```bash theme={null} export SA_ID=$(nebius iam service-account get-by-name \ --name \ --format json \ | jq -r ".metadata.id") ``` 1. Make sure that you, or the service account that you use on your behalf, is in a [group](/iam/authorization/groups) that has the `admin` role within your tenant; for example, the default `admins` group. You can check this in the [Administration → IAM](https://console.nebius.com/iam) section of the web console. 2. [Install and configure](/terraform-provider/quickstart) the Nebius AI Cloud provider for Terraform. 3. [Create a new service account](/iam/service-accounts/manage#terraform-2) if needed. ## Create a key pair If you are using the CLI, this step is optional. If you use the `nebius iam auth-public-key generate` command in the [next step](#upload-the-public-key), the CLI creates the key pair for you. Create a key pair on your local machine: ```bash theme={null} openssl genrsa -out private.pem 4096 && \ openssl rsa -in private.pem -outform PEM -pubout -out public.pem ``` This command creates the `public.pem` and `private.pem` key files in your local directory where you run the command. ## Upload the public key 1. In the [web console](https://console.nebius.com), go to **Administration** → **IAM**. 2. Open the **Service accounts** tab. 3. Open the page of the required service account. 4. Click **Upload authorized key**. 5. Click **Attach file** and then select `public.pem`. 6. (Optional) Set an expiration date. 7. Click **Upload key**. The key is displayed on the **Authorized keys** tab. Depending on whether you already [created a key pair](#create-a-key-pair), run one of the following commands: * To upload the public key if you already created a key pair: ```bash theme={null} nebius iam auth-public-key create \ --account-service-account-id $SA_ID \ --data "$(cat public.pem)" ``` * To create a new key pair, upload the public key and create a local CLI configuration file in one step: ```bash theme={null} nebius iam auth-public-key generate \ --service-account-id $SA_ID \ --output ~/.nebius/$SA_ID-credentials.json ``` After you complete either option, you can find the authorized key in the [web console](https://console.nebius.com). In the sidebar, go to **Administration** → **IAM** → **Service accounts**, and select the service account for which you created the authorized key. To upload an authorized key with Terraform, the [provider must already be authenticated](/terraform-provider/authentication). You cannot upload the first authorized key for a service account using Terraform. If you already have an authorized key, for example, one created with the CLI, proceed to [update the configuration](#update-the-configuration) to use your existing authorized key with Terraform. To upload a new authorized key with Terraform: 1. Inside the working directory, create a configuration file, for example `main.tf`: ```hcl theme={null} resource "nebius_iam_v1_auth_public_key" "sa_authorized_key" { name = "sa_authorized_key" parent_id = "" account = { service_account = { id = "" } } data = file("${path.module}/public.pem") } ``` The resource contains the following parameters: * `parent_id`: [Project ID](/iam/manage-projects#terraform-3). * `account.service_account.id`: ID of the service account. To copy the service account from the [web console](https://console.nebius.com), go to **Administration** → **IAM** → **Service accounts**, next to the ID, click . * `data`: Contents of the `public.pem` file that you [created in the previous step](#create-a-key-pair). In the example above, Terraform reads the contents of `public.pem` with the `file()` function. You can also use `trimspace(file(...))` to remove trailing whitespace. 2. Check that the configuration is correct: ```bash theme={null} terraform validate ``` 3. Apply the changes: ```bash theme={null} terraform apply ``` For all available arguments and attributes, see the [full reference](/terraform-provider/reference/resources/iam_v1_auth_public_key). ## Update the configuration Update your configuration to use the authorized key you created: If you used the web console to upload the public key, you do not need to update any additional configuration. Create a new CLI profile: 1. Initialize the Nebius AI Cloud CLI configuration: ```bash theme={null} nebius profile create \ --endpoint api.nebius.cloud \ --service-account-file ~/.nebius/$SA_ID-credentials.json \ --profile ``` 2. Check that your new profile has been created and set as default: ```sh theme={null} nebius profile list ``` Now you can run Nebius AI Cloud CLI commands on behalf of the service account. To do this, add `--profile ` to the commands. Configure the Nebius AI Cloud provider for Terraform to use an authorized key. Inside your Terraform working directory, add the `service_account` block to the provider configuration, for example in `providers.tf`: ```hcl theme={null} provider "nebius" { service_account = { account_id = "" public_key_id = "" private_key_file = "" } } ``` In this configuration: * `public_key_id`: The ID of the authorized key that you uploaded. To copy the public key ID: 1. In the [web console](https://console.nebius.com), go to **Administration** → **IAM** → **Service accounts**, and select the service account. 2. Click **Authorized keys**, and then click next to the ID of the public key you uploaded. * `private_key_file`: The path to the `private.pem` file you [created in the previous step](#create-a-key-pair). You can also pass these values through environment variables: ```hcl theme={null} provider "nebius" { service_account = { account_id_env = "NB_SA_ID" public_key_id_env = "NB_AUTHKEY_ID" private_key_file_env = "NB_AUTHKEY_PRIV_PATH" } } ``` ```bash theme={null} export NB_SA_ID= export NB_AUTHKEY_ID= export NB_AUTHKEY_PRIV_PATH= ```