Getting an IAM token for a Yandex account

To perform operations in Yandex.Cloud via the API, you need an IAM token.

Note

The IAM token is valid for 12 hours. After that period expires, get a new IAM token.

If you don't have the Yandex.Cloud command line interface yet, install it.

Get an IAM token:

$ yc iam create-token

Warning

If you are the owner of the cloud and you use your own account to access the API, remember that the owner of the cloud can perform any operations with cloud resources.

We recommend using a service account to work with the API. This way, you can assign only the roles that are necessary.

  1. Log in to your Yandex or Yandex.Connect account.

  2. Get an OAuth token from Yandex.OAuth. To do this, follow the link, click Allow, and copy the OAuth token obtained.

  3. Exchange the OAuth token for an IAM token:

    • Using cURL in Bash or CMD:

      curl -d "{\"yandexPassportOauthToken\":\"<OAuth-token>\"}" "https://iam.api.cloud.yandex.net/iam/v1/tokens"
      
    • Using the built-in PowerShell function:

      $yandexPassportOauthToken = "<OAuth-Token>"
      $Body = @{ yandexPassportOauthToken = "$yandexPassportOauthToken" } | ConvertTo-Json -Compress
      Invoke-RestMethod -Method 'POST' -Uri 'https://iam.api.cloud.yandex.net/iam/v1/tokens' -Body $Body -ContentType 'Application/json' | Select-Object -ExpandProperty iamToken
      

Specify the received IAM token when accessing Yandex.Cloud resources via the API. Pass the IAM token in the Authorization header in the following format:

Authorization: Bearer <IAM-TOKEN>

Examples

Save the IAM token to a variable in the CLI and use it in other requests from the command line. Sample request to get cloud list:

$ export IAM_TOKEN=`yc iam create-token`
$ curl -H "Authorization: Bearer ${IAM_TOKEN}" \
    https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds
$IAM_TOKEN=yc iam create-token
curl.exe -H "Authorization: Bearer $IAM_TOKEN" https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds