In this guide, you will learn how to create a service account, grant it access rights and delete it.
Before you start
You do not need to complete any prerequisites if you create a service account in the web console.
-
Install and initialize the Nebius AI Cloud CLI.
-
Check that your project ID is saved in the Nebius AI Cloud CLI profile configuration:
cat ~/.nebius/config.yaml
-
Install the jq to extract IDs and tokens from JSON data returned by the Nebius AI Cloud CLI:
-
In the web console, go to
Administration → IAM and expand the top-left list of tenants.
-
Next to the tenant’s name, click
→ Copy tenant ID and save it to an environment variable:
export TENANT_ID=<tenant_id>
Create a service account
Web console
CLI
Terraform
- In the sidebar, go to Administration → IAM.
- Go to the Service accounts tab.
- Click Create entity and select Service account.
- In the window that opens, check the service account name and select the project where you will create a bucket.
- Click Create and continue.
Create a service account and save its ID to an environment variable:export SA_ID=$(nebius iam service-account create \
--name <service_account_name> \
--format json | jq -r '.metadata.id')
-
Create the following configuration file:
resource "nebius_iam_v1_service_account" "<service_account_name>" {
name = "<service_account_name>"
parent_id = "<project_ID>"
description = "My service account"
}
-
Validate the configuration:
Check that the configuration is correct:
-
If the configuration is valid, apply it:
Apply the changes:
Grant editor access to the service account
Web console
CLI
Terraform
- In the Service accounts tab, locate the required service account and click → Add to group.
-
Get the ID of the default
editors group:
nebius iam group get-by-name \
--name editors --parent-id <tenant_id> \
--format json | jq -r '.metadata.id'
-
Add the service account to the
editors group:
nebius iam group-membership create \
--parent-id <editors_group_ID> \
--member-id <service_account_ID>
-
Get and copy the ID of the default
editors group:
nebius iam group get-by-name \
--name editors --parent-id <tenant_id> \
--format json | jq -r '.metadata.id'
-
Add the
nebius_iam_v1_group_membership resource to the configuration file. By using this resource, you add the service account to the editors group:
resource "nebius_iam_v1_group_membership" "<name>" {
parent_id = "<editors_group_ID>"
member_id = nebius_iam_v1_service_account.<service_account_name>.id
}
-
Check that the configuration is correct:
-
Apply the changes:
Delete a service account
Deleting a service account cannot be reversed.
Web console
CLI
Terraform
- Delete all resources associated with the account.
- In the Service accounts tab, find the required service account and click → Delete service account.
- In the window that opens, confirm the deletion.
-
Delete all resources associated with the account.
-
Get the service account ID and save it to an environment variable:
export SA_ID=$(nebius iam service-account get-by-name \
--name <service_account_name> \
--format json | jq -r '.metadata.id')
-
Delete the service account:
nebius iam service-account delete --id $SA_ID
- Delete all resources associated with the account.
- Remove the corresponding
nebius_iam_v1_service_account resource from the configuration file.
- Check that the configuration is correct:
- Apply the changes:
