Authorization in Yandex.Cloud

When a user does something with a resource in Yandex.Cloud, IAM checks whether the user has the necessary access rights to perform this operation.

Users get permissions along with resource roles. For more information about how roles are assigned and how the list of permissions is checked, see How access management in Yandex.Cloud works.

Authentication in Yandex.Cloud

Before authorization, a user must get authenticated, meaning they must log in under their account. Authentication is performed in different ways, depending on the type of account and the interface used:

Authentication with a Yandex.Passport account

Authentication is carried out automatically when you log in to your Yandex or Yandex.Connect account.

To configure authentication in the CLI, enter your OAuth token during profile creation. The token will be saved in the profile configuration and authentication will work automatically.


If you are the owner of the cloud and you use your own account to access the API, remember that the owner of the cloud can perform any operations with cloud resources.

We recommend using a service account to work with the API. This way, you can assign only the roles that are necessary.

To perform operations in the API:

  1. Get an IAM token in exchange for your OAuth token.

  2. Specify the received IAM token when accessing Yandex.Cloud resources via the API. Pass the IAM token in the Authorization header in the following format:

    Authorization: Bearer <IAM-TOKEN>

    IAM tokens are valid for 12 hours. To keep your token valid, request it more often (for example, once per hour).

Service account authentication

To perform operations on behalf of a service account, authenticate in the CLI following the instructions.

There are three ways to perform operations on behalf of a service account:

Federated user authentication

To log in to the management console, federated users must follow the link with the federation ID:<federation ID>

The authentication process for a federated user depends on the IdP server settings. For more information, see SAML-compatible identity federations.

To perform operations on behalf of a federated user, authenticate in the CLI following the instructions.

On successful authentication on the federation server, the IAM token is saved in the profile. This token is used to authenticate each operation until the token expires. After that, the CLI again displays a prompt to authenticate in the browser.