IAM token

An IAM token (or just token) is a unique sequence of characters issued to a user after authentication. The user needs this token for authorization in the Yandex.Cloud API and access to resources.

Using the token

Specify the received IAM token when accessing Yandex.Cloud resources via the API. Pass the IAM token in the Authorization header in the following format:

Authorization: Bearer <IAM-TOKEN>

In the management console and the command line interface (CLI), the token is obtained and used without the user needing to do anything.


The IAM token is usually valid for 12 hours, but we recommend requesting a new token more often, like every hour. This lets you avoid situations where your only token expires right before IAM can't generate a new token for some reason.

If you get an IAM token via the metadata server inside the VM, its lifetime may be shorter, since the metadata server returns the last token generated instead of generating new tokens. New tokens are generated periodically.

The metadata server returns the remaining lifetime of the token along with the IAM token. Account for your IAM token lifetime or request the token more often, like once per hour or with every operation.

Services that support this authentication method

This authentication method is supported by all services, except for those with AWS-compatible APIs (they only need an IAM token for managing access keys and service accounts).

See also