Skip to main content
To manage your Nebius AI Cloud resources using the Terraform provider, you need to provide credentials for authentication. You can authenticate as either a service account (recommended) or your user account.
If both types of credentials are present in a Terraform configuration, you will be authenticated as your user account.

Authenticating with a service account

Service accounts are intended for managing resources in Nebius AI Cloud through non-UI interfaces, such as the Terraform provider.
We recommend using a service account belonging to the project that contains the resources you want to manage.
Before using a service account in the provider:
  1. Create a service account if you haven’t already.
  2. Add the service account to a group to grant it necessary permissions. In most cases, a group with the editor role should be enough; add the account to a group with the admin role only if you want to manage other accounts’ group memberships through Terraform. Learn more about groups and their permissions.
  3. Create an authorized key.
To authenticate as a service account when using Terraform, add the service_account block to the provider configuration block (provider "nebius"). You can specify the required credentials (see below) directly in service_account, or indirectly by referring to environment variables that hold the values. Here are examples of both approaches: 
provider "nebius" {
  service_account = {
    account_id       = "serviceaccount-e00a0b1c**********"
    public_key_id    = "publickey-e00z9y8x**********"
    private_key_file = "~/.nebius/authkey/private.pem"
  }
}
The following credentials are required in service_account:
  • Service account ID (field in service_account: account_id or account_id_env). You can get the ID with this Nebius AI Cloud CLI command: 
    nebius iam service-account get-by-name \
  --name <service_account_name> \
  --format json | jq -r '.metadata.id'
    Alternatively, use nebius iam service-account list and get the ID from .items[*].metadata.id.
  • Authorized key ID (public_key_id or public_key_id_env). You can list the authorized keys created for the service account with this command: 
    nebius iam auth-public-key list-by-account \
  --account-service-account-id <service_account_ID> \
  --format json
  • Path to the private key that you used to create the authorized key (private_key_file or private_key_file_env).
You can combine the direct and indirect approaches, for example, provide the IDs through environment variables using account_id_env and public_key_id_env while specifying the private key path directly in private_key_file. If both fields in a pair are specified (e.g. account_id and account_id_env), the “direct” field (without _env, e.g. account_id) is used.

Authenticating with your user account

You can configure the Terraform provider to perform actions on behalf of your Nebius AI Cloud user account. However, this is less secure. It is recommended to use this authentication method only in local development environments. User account authentication uses access tokens. The lifetime of an access token is 12 hours. To get an access token:
  1. Install and configure the Nebius AI Cloud CLI.
  2. Run the access token command: 
    nebius iam get-access-token
You can specify the token:
  • In the NEBIUS_IAM_TOKEN environment variable (recommended). For example: 
    NEBIUS_IAM_TOKEN=<access_token> terraform apply
  • In the provider configuration: 
    provider "nebius" {
  token = "<access_token>"
}

See also