Service connections SourceCraft
Service connections allow you to securely integrate your SourceCraft projects with the Yandex Cloud resources.
With service connections, you can get access to the Yandex Cloud API from inside of your SourceCraft repository's CI/CD workflows. For example, you can request a secret from Yandex Lockbox, upload files to a Yandex Object Storage bucket, deploy a virtual machine in Yandex Compute Cloud, etc.
You do not have to keep any long-lived tokens or access keys in repository secrets, let alone your code. You get authenticated in Yandex Cloud via a short-lived Yandex Identity and Access Management IAM token which is requested within each individual CI/CD task.
Service connections are based on Identity and Access Management's workload identity federation functionality. Yandex Cloud resources are accessed under service accounts.
A workload identity federation is created in Identity and Access Management automatically as soon as you create a service connection.
Use multiple service connections for granular access to Yandex Cloud resources. For example, you can use service accounts with different roles to set up access to different clouds and folders for different repositories or branches. Thus, for example, you can separate your test and production environments.
For more information, see Configuring a service connection to Yandex Cloud in SourceCraft.