> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication in the Nebius AI Cloud provider for Terraform

To manage your Nebius AI Cloud resources using the Terraform provider, you need to provide credentials for authentication. You can authenticate as either a service account (recommended) or your user account.

<Note>
  If both types of credentials are present in a Terraform configuration, you will be authenticated as your user account.
</Note>

## Authenticating with a service account

[Service accounts](/iam/overview#accounts-and-members) are intended for managing resources in Nebius AI Cloud through non-UI interfaces, such as the Terraform provider.

<Note>
  We recommend using a service account belonging to the project that contains the resources you want to manage.
</Note>

Before using a service account in the provider:

1. Make sure you are in a [group](/iam/authorization/groups/index) that has the `admin` role within your tenant or project; for example, the default `admins` group. You can check this in the [Administration → IAM](https://console.nebius.com/iam) section of the web console.
2. [Create a service account](/iam/service-accounts/manage) if you haven't already.
3. [Add the service account to a group](/iam/authorization/groups/members) to grant it necessary permissions. In most cases, a group with the `editor` role should be enough for the service account; add the account to a group with the `admin` role only if you want to manage other accounts' group memberships through Terraform. Learn more about [groups](/iam/authorization/groups/index) and their [permissions](/iam/authorization/roles).
4. [Create an authorized key](/iam/service-accounts/authorized-keys).

To authenticate as a service account when using Terraform, add the `service_account` block to the provider configuration block (`provider "nebius"`). You can specify the required credentials (see below) directly in `service_account`, or indirectly by referring to environment variables that hold the values. Here are examples of both approaches:

<Tabs>
  <Tab title="Directly">
    ```hcl theme={null}
    provider "nebius" {
      service_account = {
        account_id       = "serviceaccount-e00a0b1c**********"
        public_key_id    = "publickey-e00z9y8x**********"
        private_key_file = "~/.nebius/authkey/private.pem"
      }
    }
    ```
  </Tab>

  <Tab title="Indirectly (with environment variables)">
    ```hcl theme={null}
    provider "nebius" {
      service_account = {
        account_id_env       = "SA_ID"
        public_key_id_env    = "AUTHKEY_ID"
        private_key_file_env = "AUTHKEY_PRIV_PATH"
      }
    }
    ```

    ```bash theme={null}
    export SA_ID=serviceaccount-e00a0b1c**********
    export AUTHKEY_ID=publickey-e00z9y8x**********
    export AUTHKEY_PRIV_PATH=~/.nebius/authkey/private.pem
    ```
  </Tab>
</Tabs>

The following credentials are required in `service_account`:

* **Service account ID** (field in `service_account`: `account_id` or `account_id_env`). You can get the ID with this Nebius AI Cloud CLI command:

  ```bash theme={null}
  nebius iam service-account get-by-name \
    --name <service_account_name> \
    --format json | jq -r '.metadata.id'
  ```

  Alternatively, use `nebius iam service-account list` and get the ID from `.items[*].metadata.id`.

* **Authorized key ID** (`public_key_id` or `public_key_id_env`). You can list the authorized keys created for the service account with this command:

  ```bash theme={null}
  nebius iam auth-public-key list-by-account \
    --account-service-account-id <service_account_ID> \
    --format json
  ```

* **Path to the private key** that you used to [create the authorized key](/iam/service-accounts/authorized-keys#create-a-key-pair) (`private_key_file` or `private_key_file_env`).

You can combine the direct and indirect approaches, for example, provide the IDs through environment variables using `account_id_env` and `public_key_id_env` while specifying the private key path directly in `private_key_file`. If both fields in a pair are specified (for example, `account_id` and `account_id_env`), the "direct" field (without `_env`, for example `account_id`) is used.

## Authenticating with your user account

You can configure the Terraform provider to perform actions on behalf of your Nebius AI Cloud user account. However, this is less secure. It is recommended to use this authentication method only in local development environments.

User account authentication uses [access tokens](/iam/authorization/access-tokens). The lifetime of an access token is 12 hours.

To get an access token:

1. [Install](/cli/install) and [configure](/cli/configure) the Nebius AI Cloud CLI.
2. Run the access token command:

   ```bash theme={null}
   nebius iam get-access-token
   ```

You can specify the token:

* In the `NEBIUS_IAM_TOKEN` environment variable (recommended). For example:

  ```bash theme={null}
  NEBIUS_IAM_TOKEN=<access_token> terraform apply
  ```

* In the provider configuration:

  ```hcl theme={null}
  provider "nebius" {
    token = "<access_token>"
  }
  ```

## See also

* [Getting started with the Terraform provider by Nebius AI Cloud](/terraform-provider/quickstart)