Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for a service account
      • Creating static access keys
      • Getting the service account ID
      • Deleting service accounts
    • Identity federations
      • Authentication using Active Directory
      • Authentication using G Suite
      • Authentication using an identity federation
      • Adding users
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • SAML-compatible identity federations
    • Quotas and limits
  • How to use Yandex.Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • Federation
        • Overview
        • update
        • list
        • listUserAccounts
        • get
        • delete
        • addUserAccounts
        • create
        • listOperations
      • Certificate
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
      • AccessKey
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on the same page
  1. Concepts
  2. Authorization
  3. IAM token

IAM token

  • Using the token
  • Lifetime
  • Services that support this authentication method

An IAM token is a unique sequence of characters issued to a user after authentication. The user needs this token for authorization in the Yandex.Cloud API and access to resources.

Using the token

Specify the received IAM token when accessing Yandex.Cloud resources via the API. Pass the IAM token in the Authorization header in the following format:

Authorization: Bearer <IAM-TOKEN>

In the management console and the command line interface (CLI), the token is obtained and used without the user needing to do anything.

Lifetime

The IAM token is valid for no more than 12 hours, but we recommend requesting a new token more often, like every hour. This lets you avoid situations where your only token expires right before IAM can't generate a new token for some reason.

The IAM token lifetime can be less than 12 hours if:

  • You get an IAM token using the metadata service inside the VM or from the function call context.

    The metadata service returns the remaining token lifetime along with the IAM token. Account for your token lifetime or request the token more often, like once per hour or with every operation.

  • You passed federated authentication in the CLI. Then the IAM token lifetime is also limited by the cookie lifetime in the federation.

Services that support this authentication method

This authentication method is supported by all services, except for those with AWS-compatible APIs (they only need an IAM token for managing access keys and service accounts).

See also

  • Getting an IAM token for a Yandex account
  • Getting an IAM token for a service account
  • Working with Yandex.Cloud from inside a VM
  • Using functions to get an IAM token for a service account
  • Authorization in Yandex.Cloud
In this article:
  • Using the token
  • Lifetime
  • Services that support this authentication method
Language
Careers
Privacy policy
Terms of use
© 2021 Yandex.Cloud LLC