Service connections SourceCraft
Service connections allow you to securely integrate your SourceCraft projects with the Yandex Cloud resources.
With service connections, you can get access to the Yandex Cloud API from inside of your SourceCraft repository's CI/CD workflows. For example, you can request a secret from Yandex Lockbox, upload files to a Yandex Object Storage bucket, deploy a virtual machine in Yandex Compute Cloud, etc.
You do not have to keep any long-lived tokens or access keys in repository secrets, let alone your code. You get authenticated in Yandex Cloud via a short-lived Yandex Identity and Access Management IAM token which is requested within each individual CI/CD task.
You can create two types of service connections:
- Organization-level: Available from all organization repositories if the scope is not restricted. To create such a connection, you need the Organization admin role.
- Repository-level: Only available from a specific repository. To create such a connection, you need the Repository admin role. This role grants permissions to create and modify connections for this specific repository and provides read-only access to the list of connections available to all the organization’s repositories.
Service connections are based on Identity and Access Management's workload identity federation functionality. Yandex Cloud resources are accessed under service accounts.
A workload identity federation is created in Identity and Access Management automatically as soon as you create a service connection.
Use multiple service connections for granular access to Yandex Cloud resources. For example, you can use service accounts with different roles to set up access to different clouds and folders for different repositories or branches. Thus, for example, you can separate your test and production environments.
For more information, see Configuring a service connection to Yandex Cloud in SourceCraft.