IAM token

An IAM token (or just token) is a unique sequence of characters issued to a user after authentication. The user needs this token for authorization in the Yandex.Cloud API and access to resources.

Using the token

Specify the received IAM token when accessing Yandex.Cloud resources via the API. Pass the IAM token in the Authorization header in the following format:

Authorization: Bearer <IAM-TOKEN>

In the management console and the command line interface (CLI), the token is obtained and used without the user needing to do anything.

Lifetime

The IAM token is valid for no more than 12 hours, but we recommend requesting a new token more often, like every hour. This lets you avoid situations where your only token expires right before IAM can't generate a new token for some reason.

The IAM token lifetime can be less than 12 hours if:

  • You get an IAM token using the metadata service inside the VM or from the function call context.

    The metadata service returns the remaining token lifetime along with the IAM token. Account for your token lifetime or request the token more often, like once per hour or with every operation.

  • You passed federated authentication in the CLI. Then the IAM token lifetime is also limited by the cookie lifetime in the federation.

Services that support this authentication method

This authentication method is supported by all services, except for those with AWS-compatible APIs (they only need an IAM token for managing access keys and service accounts).

See also