yc

32 commands

32 shown

Switch active folder Set default folder-id for the active profile; verify with config list yc config set folder-id <id> && yc config list #yc#cloud#iam Create named profile Isolate creds per env; use yc --profile prod or YC_PROFILE in CI yc config profile create prod && yc config profile activate prod #yc#cloud#ci Mint short-lived IAM token OAuth->IAM token, ~12h TTL; feed to API/Terraform via YC_TOKEN env export YC_TOKEN=$(yc iam create-token) #yc#iam#security#secrets Service account for CI Create SA for pipelines; bind least-privilege roles separately yc iam service-account create --name sa-ci --description 'CI deployer' #yc#iam#ci#security Authorized key for SA Authorized key JSON for non-interactive auth; note: rotate & vault it yc iam key create --service-account-name sa-ci --output key.json #yc#iam#secrets#ci Grant role to SA Scope-bind a role at folder level; prefer narrow roles over editor yc resource-manager folder add-access-binding <id> --role editor --service-account-name sa-ci #yc#iam#security Write kubeconfig for cluster Merge external endpoint into kubeconfig; drop --external for internal VPC yc managed-kubernetes cluster get-credentials <name> --external --force #yc#k8s#network List clusters as JSON Tabulate cluster name/status/id for scripting and audits yc managed-kubernetes cluster list --format json | jq -r '.[]|[.name,.status,.id]|@tsv' #yc#k8s#monitoring Create autoscaling node group Cluster autoscaler node group with min/max bounds in one zone yc managed-kubernetes node-group create --cluster-name <name> --name ng-1 --platform standard-v3 --auto-scale min=1,max=5,initial=2 --location zone=ru-central1-a #yc#k8s#performance#cloud Create VPC subnet Zone-scoped subnet bound to a network; CIDR must not overlap peers yc vpc subnet create --name sub-a --network-name net-1 --range 10.0.0.0/24 --zone ru-central1-a #yc#network#vpc#cloud Replace security group rules Add stateful SG rule; note: rules are evaluated as allow-list yc vpc security-group update-rules <name> --add-rule 'direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0]' #yc#network#security#vpc Inspect network load balancer Dump NLB listeners and target groups to debug routing yc load-balancer network-load-balancer get <name> --format json | jq '.listeners,.attached_target_groups' #yc#network#troubleshooting#cloud List L7 load balancers Enumerate ALB instances and health status across folder yc application-load-balancer load-balancer list --format json | jq -r '.[]|[.name,.status]|@tsv' #yc#network#monitoring#cloud Create public DNS zone Public zone; FQDN trailing dot required, then delegate NS at registrar yc dns zone create --name myzone --zone example.com. --public-visibility #yc#dns#network Add DNS A record Add apex A record with 600s TTL; @ means the zone root yc dns zone add-records --name myzone --record '@ 600 A 1.2.3.4' #yc#dns#network Create VM with cloud-init Boot VM with public NAT IP and cloud-init user-data bootstrap yc compute instance create --name web-1 --zone ru-central1-a --network-interface subnet-name=sub-a,nat-ip-version=ipv4 --create-boot-disk image-family=ubuntu-2204-lts,size=20 --metadata-from-file user-data=cloud-init.yaml #yc#cloud#ci#network Create managed PostgreSQL 16 cluster Provision HA PG16 cluster; note: pick s3 preset for prod, not burstable b-class yc managed-postgresql cluster create --name <name> --environment production --postgresql-version 16 --network-name <name> --host zone-id=ru-central1-a,subnet-name=<name> --resource-preset s3-c2-m8 --disk-size 50 --disk-type network-ssd #yc#cloud#k8s List PostgreSQL cluster hosts Show host FQDNs with MASTER/REPLICA role and health for connection routing yc managed-postgresql cluster list-hosts --cluster-name <name> --format json | jq -r '.[] | "\(.name)\t\(.role)\t\(.health)"' #yc#cloud#troubleshooting Create PostgreSQL database and user Create user via stdin then DB with that owner; note: password-stdin avoids shell history leak yc managed-postgresql user create <name> --cluster-name <name> --password-stdin && yc managed-postgresql database create <name> --cluster-name <name> --owner <name> #yc#cloud#secrets Connect to managed PG with verify-full TLS Connect via 6432 PgBouncer with YC CA; note: verify-full needs root.crt to pin the host curl -s https://storage.yandexcloud.net/cloud-certs/CA.pem -o ~/.postgresql/root.crt && psql "host=<host> port=6432 sslmode=verify-full dbname=<name> user=<name> target_session_attrs=read-write" #yc#tls#security List managed Redis clusters Filter Redis clusters to unhealthy ones only for a quick fleet triage yc managed-redis cluster list --format json | jq -r '.[] | select(.health!="ALIVE") | "\(.name)\t\(.status)\t\(.health)"' #yc#cloud#monitoring List managed ClickHouse clusters with versions Audit ClickHouse cluster versions and presets to spot upgrade candidates yc managed-clickhouse cluster list --format json | jq -r '.[] | "\(.name)\t\(.config.version)\t\(.resources.resourcePresetId)"' #yc#cloud#observability Create static access key for Object Storage Mint S3-compatible static key for a SA; note: secret shown once, capture it now yc iam access-key create --service-account-name <name> --format json | jq -r '"AWS_ACCESS_KEY_ID=\(.access_key.key_id)\nAWS_SECRET_ACCESS_KEY=\(.secret)"' #yc#secrets#security Use aws s3 against Yandex Object Storage Sync to YC bucket via S3 API; modern: use --delete to mirror and prune stale objects aws --endpoint-url=https://storage.yandexcloud.net s3 sync ./dist s3://<name>/<id>/ --delete --exclude '*.map' #yc#cloud#disk List Object Storage buckets List buckets with size cap in GiB and storage class in one pass yc storage bucket list --format json | jq -r '.[] | "\(.name)\t\(.max_size/1073741824)GiB\t\(.default_storage_class)"' #yc#cloud#disk Apply S3 lifecycle to expire old objects Auto-expire objects under prefix after 30d to cut storage cost aws --endpoint-url=https://storage.yandexcloud.net s3api put-bucket-lifecycle-configuration --bucket <name> --lifecycle-configuration '{"Rules":[{"ID":"expire-logs","Status":"Enabled","Filter":{"Prefix":"logs/"},"Expiration":{"Days":30}}]}' #yc#cloud#disk Create registry and configure Docker Create CR and wire docker creds helper; modern: uses yc as a credential helper, no docker login yc container registry create --name <name> && yc container registry configure-docker #yc#ci#security Push image to Container Registry Tag with resolved registry id then push; avoids hardcoding the cr.yandex/<reg-id> docker tag <name>:<id> cr.yandex/$(yc container registry get --name <name> --format json | jq -r .id)/<name>:<id> && docker push cr.yandex/$(yc container registry get --name <name> --format json | jq -r .id)/<name>:<id> #yc#ci#cloud List registry images by repository Enumerate every tag across all repos; useful before a registry GC sweep yc container repository list --format json | jq -r '.[].name' | while read r; do yc container image list --repository-name "$r" --format json | jq -r '.[] | "\(.name):\(.tags[]? // "<none>")"'; done #yc#ci#troubleshooting Deploy serverless container revision Roll out a new revision from a CR image; note: concurrency caps in-flight requests per instance yc serverless container create --name <name>; yc serverless container revision deploy --container-name <name> --image cr.yandex/<id>/<name>:<id> --cores 1 --memory 512M --service-account-id <id> --concurrency 4 #yc#cloud#ci Read logs from a logging group since 1h Tail YC Cloud Logging filtered to ERROR/WARN; modern: --since accepts 1h/30m relative windows yc logging read --group-name <name> --since 1h --levels ERROR,WARN --format json | jq -r '.[] | "\(.timestamp) \(.level) \(.message)"' #yc#observability#troubleshooting Issue Let's Encrypt cert via Certificate Manager Request managed wildcard cert then check status; note: needs DNS/HTTP validation to issue yc certificate-manager certificate request --name <name> --domains <host>,*.<host> && yc certificate-manager certificate list --format json | jq -r '.[] | "\(.name)\t\(.status)\t\(.not_after)"' #yc#tls#security
no commands match