Yandex Cloud CLI (yc)

Essentials

Command Structure

yc <service-group> <resource> <command> [<NAME|ID>] [flags] [global-flags]

Global Flags

Output & Scripting

Always use --format json combined with jq for scripting:

# Get resource ID by name
yc compute instance get my-vm --format json | jq -r .id

# List all instance external IPs
yc compute instance list --format json | jq -r '.[].network_interfaces[0].primary_v4_address.one_to_one_nat.address'

# Use --jq shortcut (no piping needed)
yc compute instance get my-vm --format json --jq .id

# Get multiple fields
yc compute instance list --format json | jq -r '.[] | [.name, .status] | @tsv'

Configuration & Profiles

yc init                              # Interactive setup (OAuth, cloud, folder)
yc config list                       # Current config
yc config set folder-id <ID>         # Set default folder
yc config set compute-default-zone ru-central1-d
yc config set format json            # Default output format

# Profile management
yc config profile create <NAME>
yc config profile activate <NAME>
yc config profile list
yc config profile get <NAME>
yc config profile delete <NAME>

# S3 storage config
yc config set storage-endpoint storage.yandexcloud.net

Authentication Methods

1. OAuth token (personal use): yc config set token <OAUTH-TOKEN>
2. Service account key (automation): yc config set service-account-key key.json
3. Instance metadata (on YC VMs): yc config set instance-service-account true
4. Federation (SSO): yc init --federation-id <ID>

yc config list           # Show current profile, cloud, folder, token
yc iam create-token      # Get IAM token for API calls

Operations

Long-running operations (create cluster, etc.) can be tracked:

yc <service> <resource> create ... --async   # Returns operation ID
yc operation get <OPERATION-ID>              # Check status (poll until done=true)

Without --async, commands block until the operation completes.

Availability Zones

• ru-central1-a — Moscow, zone A
• ru-central1-b — Moscow, zone B
• ru-central1-d — Moscow, zone D

Note: ru-central1-c is deprecated. Use ru-central1-d for new resources.

Service Quick Reference

All Service Groups

Standard CRUD Pattern

Most resources follow:

yc <service> <resource> list [--folder-id ID]
yc <service> <resource> get <NAME|ID>
yc <service> <resource> create [<NAME>] [flags]
yc <service> <resource> update <NAME|ID> [flags]
yc <service> <resource> delete <NAME|ID>

Many also support: add-labels, remove-labels, list-operations, list-access-bindings, add-access-binding, remove-access-binding, move (between folders).

Detailed References

Read the reference file matching the service you need:

• Compute (VMs, disks, images, snapshots, snapshot schedules, instance groups, filesystems, placement groups, GPU clusters) → references/compute.md
• Networking (VPC networks, subnets, security groups, addresses, gateways, route tables, DNS zones/records) → references/networking.md
• IAM & Resource Manager (service accounts, roles, all key types, access bindings, clouds, folders) → references/iam.md
• Serverless (functions, versions, triggers, containers, API gateways, runtimes, scaling) → references/serverless.md
• Kubernetes (clusters, node groups, kubeconfig, autoscaling, full setup example) → references/kubernetes.md
• Databases (PostgreSQL, MySQL, ClickHouse, Redis, MongoDB, OpenSearch, Greenplum, YDB, Kafka — clusters, users, databases, backups, resource presets) → references/databases.md
• Storage, Secrets, Certificates (S3 buckets, s3/s3api commands, Lockbox secrets, KMS encryption, Certificate Manager — Let’s Encrypt & imported) → references/storage-secrets-certs.md
• Container Registry (registries, repositories, images, Docker auth, lifecycle policies) → references/container-registry.md
• Load Balancers (ALB — target groups, backend groups, HTTP routers, virtual hosts, routes, listeners; NLB — network load balancers, target groups, health checks) → references/load-balancers.md
• CDN (origin groups, CDN resources, caching, SSL, compression, headers, security, cache purge/prefetch) → references/cdn.md
• Logging & Audit (Cloud Logging groups/read/write, Audit Trails, Cloud Backup) → references/logging-audit.md
• Data Platform (DataProc clusters/subclusters/jobs, Data Transfer endpoints/transfers) → references/data-platform.md
• Organization, Security & Quotas (Organization Manager, federations, groups, OS Login, Smart Web Security WAF with rules/conditions, SmartCaptcha, Quota Manager, IoT Core) → references/organization.md

Guidelines

• Always verify the active profile and folder before mutating commands: yc config list
• Use --format json | jq for extracting IDs and values in scripts
• Use --async for long operations, then check: yc operation get <OP-ID>
• Prefer --name over --id in interactive use; prefer --id in scripts for reliability
• For any unfamiliar command, run yc <service> <resource> <command> --help — the built-in help is authoritative and always up-to-date
• When creating resources that depend on others (VM needs subnet, subnet needs network), create dependencies first
• Use --deletion-protection on production databases, clusters, and secrets
• For S3 operations, create a static access key via yc iam access-key create
• Custom security groups with no rules deny all traffic; the auto-created default SG allows all — always create explicit SGs for production
• Use labels consistently (--labels env=prod,team=backend) for cost tracking and filtering
• For managed databases, always specify --security-group-ids to restrict access
• When creating K8s clusters, specify two service accounts (can be the same): --service-account-name for cluster resources and --node-service-account-name for node operations (registry, logs)