Get started
Yandex Identity and Access Management

IAM token

Written by

An IAM token is a unique sequence of characters issued to a user after authentication. The user needs this token for authorization in the Yandex Cloud API and access to resources.

Using the token

Specify the received IAM token when accessing Yandex Cloud resources via the API. Pass the IAM token in the Authorization header in the following format:

Authorization: Bearer <IAM token>

In the management console and the command line interface (CLI), the token is obtained and used without the user needing to do anything.

The lifetime

IAM tokens are valid for a maximum of 12 hours. A token's lifetime is specified in a response from the service that returns the token. For example, the VM metadata service.

To avoid a situation when your token has expired and you don't have a new token yet, request it beforehand.

If you generate a new IAM token, the previous one continues to be valid until its lifetime expires.

If a token is created using cookies (for example, under federated authentication), its lifetime is limited to that of the cookies. If the cookies are revoked (for example, when the user logs out), all the tokens generated for the cookies are canceled.

Recommendations for managing the lifetime of a token:

  • Don't use a token for more than 10% of its lifetime. For instance, if your token is valid for 12 hours, request a new one in about an hour.
  • It is not a good practice to request a new token too often. Don't request a new token for each operation.

The IAM API may return the same token in response to different requests if it's still a long time before it expires.

Services that support this authentication method

This authentication method is supported by all services, except for those with AWS-compatible APIs (they only need an IAM token for managing access keys and service accounts).

Token representation

The following regular expression describes a token:

t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2}

Use regular expressions carefully because the service may update the token format in the future. The update might appear in the documentation with a delay.

Tip

Updating the token format involves changing its prefix to a value different from t1..

Sample token:

t1.7euelSbPyceKx87JqpuRl1qZiY-Ryi3rnpWaksrKaZqUppnLncmDnpeajZvl8_dZNAFl-e8ENXMH_t3z9xljfmT57wQ1cwf-.-LErty1vRh4S__VEp-aDnM5huB5MEfm_Iu1u2IzNgyrn0emiWDYA6rSQXDvzjE0O3HBbUlqoDeCmXYYInzZ6Cg

See also

In this article: