yc
32 commands
32 shown
Switch active folder
Set default folder-id for the active profile; verify with config list
yc config set folder-id <id> && yc config list
Create named profile
Isolate creds per env; use yc --profile prod or YC_PROFILE in CI
yc config profile create prod && yc config profile activate prod
Mint short-lived IAM token
OAuth->IAM token, ~12h TTL; feed to API/Terraform via YC_TOKEN env
export YC_TOKEN=$(yc iam create-token)
Service account for CI
Create SA for pipelines; bind least-privilege roles separately
yc iam service-account create --name sa-ci --description 'CI deployer'
Authorized key for SA
Authorized key JSON for non-interactive auth; note: rotate & vault it
yc iam key create --service-account-name sa-ci --output key.json
Grant role to SA
Scope-bind a role at folder level; prefer narrow roles over editor
yc resource-manager folder add-access-binding <id> --role editor --service-account-name sa-ci
Write kubeconfig for cluster
Merge external endpoint into kubeconfig; drop --external for internal VPC
yc managed-kubernetes cluster get-credentials <name> --external --force
List clusters as JSON
Tabulate cluster name/status/id for scripting and audits
yc managed-kubernetes cluster list --format json | jq -r '.[]|[.name,.status,.id]|@tsv'
Create autoscaling node group
Cluster autoscaler node group with min/max bounds in one zone
yc managed-kubernetes node-group create --cluster-name <name> --name ng-1 --platform standard-v3 --auto-scale min=1,max=5,initial=2 --location zone=ru-central1-a
Create VPC subnet
Zone-scoped subnet bound to a network; CIDR must not overlap peers
yc vpc subnet create --name sub-a --network-name net-1 --range 10.0.0.0/24 --zone ru-central1-a
Replace security group rules
Add stateful SG rule; note: rules are evaluated as allow-list
yc vpc security-group update-rules <name> --add-rule 'direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0]'
Inspect network load balancer
Dump NLB listeners and target groups to debug routing
yc load-balancer network-load-balancer get <name> --format json | jq '.listeners,.attached_target_groups'
List L7 load balancers
Enumerate ALB instances and health status across folder
yc application-load-balancer load-balancer list --format json | jq -r '.[]|[.name,.status]|@tsv'
Create public DNS zone
Public zone; FQDN trailing dot required, then delegate NS at registrar
yc dns zone create --name myzone --zone example.com. --public-visibility
Add DNS A record
Add apex A record with 600s TTL; @ means the zone root
yc dns zone add-records --name myzone --record '@ 600 A 1.2.3.4'
Create VM with cloud-init
Boot VM with public NAT IP and cloud-init user-data bootstrap
yc compute instance create --name web-1 --zone ru-central1-a --network-interface subnet-name=sub-a,nat-ip-version=ipv4 --create-boot-disk image-family=ubuntu-2204-lts,size=20 --metadata-from-file user-data=cloud-init.yaml
Create managed PostgreSQL 16 cluster
Provision HA PG16 cluster; note: pick s3 preset for prod, not burstable b-class
yc managed-postgresql cluster create --name <name> --environment production --postgresql-version 16 --network-name <name> --host zone-id=ru-central1-a,subnet-name=<name> --resource-preset s3-c2-m8 --disk-size 50 --disk-type network-ssd
List PostgreSQL cluster hosts
Show host FQDNs with MASTER/REPLICA role and health for connection routing
yc managed-postgresql cluster list-hosts --cluster-name <name> --format json | jq -r '.[] | "\(.name)\t\(.role)\t\(.health)"'
Create PostgreSQL database and user
Create user via stdin then DB with that owner; note: password-stdin avoids shell history leak
yc managed-postgresql user create <name> --cluster-name <name> --password-stdin && yc managed-postgresql database create <name> --cluster-name <name> --owner <name>
Connect to managed PG with verify-full TLS
Connect via 6432 PgBouncer with YC CA; note: verify-full needs root.crt to pin the host
curl -s https://storage.yandexcloud.net/cloud-certs/CA.pem -o ~/.postgresql/root.crt && psql "host=<host> port=6432 sslmode=verify-full dbname=<name> user=<name> target_session_attrs=read-write"
List managed Redis clusters
Filter Redis clusters to unhealthy ones only for a quick fleet triage
yc managed-redis cluster list --format json | jq -r '.[] | select(.health!="ALIVE") | "\(.name)\t\(.status)\t\(.health)"'
List managed ClickHouse clusters with versions
Audit ClickHouse cluster versions and presets to spot upgrade candidates
yc managed-clickhouse cluster list --format json | jq -r '.[] | "\(.name)\t\(.config.version)\t\(.resources.resourcePresetId)"'
Create static access key for Object Storage
Mint S3-compatible static key for a SA; note: secret shown once, capture it now
yc iam access-key create --service-account-name <name> --format json | jq -r '"AWS_ACCESS_KEY_ID=\(.access_key.key_id)\nAWS_SECRET_ACCESS_KEY=\(.secret)"'
Use aws s3 against Yandex Object Storage
Sync to YC bucket via S3 API; modern: use --delete to mirror and prune stale objects
aws --endpoint-url=https://storage.yandexcloud.net s3 sync ./dist s3://<name>/<id>/ --delete --exclude '*.map'
List Object Storage buckets
List buckets with size cap in GiB and storage class in one pass
yc storage bucket list --format json | jq -r '.[] | "\(.name)\t\(.max_size/1073741824)GiB\t\(.default_storage_class)"'
Apply S3 lifecycle to expire old objects
Auto-expire objects under prefix after 30d to cut storage cost
aws --endpoint-url=https://storage.yandexcloud.net s3api put-bucket-lifecycle-configuration --bucket <name> --lifecycle-configuration '{"Rules":[{"ID":"expire-logs","Status":"Enabled","Filter":{"Prefix":"logs/"},"Expiration":{"Days":30}}]}'
Create registry and configure Docker
Create CR and wire docker creds helper; modern: uses yc as a credential helper, no docker login
yc container registry create --name <name> && yc container registry configure-docker
Push image to Container Registry
Tag with resolved registry id then push; avoids hardcoding the cr.yandex/<reg-id>
docker tag <name>:<id> cr.yandex/$(yc container registry get --name <name> --format json | jq -r .id)/<name>:<id> && docker push cr.yandex/$(yc container registry get --name <name> --format json | jq -r .id)/<name>:<id>
List registry images by repository
Enumerate every tag across all repos; useful before a registry GC sweep
yc container repository list --format json | jq -r '.[].name' | while read r; do yc container image list --repository-name "$r" --format json | jq -r '.[] | "\(.name):\(.tags[]? // "<none>")"'; done
Deploy serverless container revision
Roll out a new revision from a CR image; note: concurrency caps in-flight requests per instance
yc serverless container create --name <name>; yc serverless container revision deploy --container-name <name> --image cr.yandex/<id>/<name>:<id> --cores 1 --memory 512M --service-account-id <id> --concurrency 4
Read logs from a logging group since 1h
Tail YC Cloud Logging filtered to ERROR/WARN; modern: --since accepts 1h/30m relative windows
yc logging read --group-name <name> --since 1h --levels ERROR,WARN --format json | jq -r '.[] | "\(.timestamp) \(.level) \(.message)"'
Issue Let's Encrypt cert via Certificate Manager
Request managed wildcard cert then check status; note: needs DNS/HTTP validation to issue
yc certificate-manager certificate request --name <name> --domains <host>,*.<host> && yc certificate-manager certificate list --format json | jq -r '.[] | "\(.name)\t\(.status)\t\(.not_after)"'
no commands match