Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Handling secrets that are available in the public domain
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Groups of users
      • Creating a group
      • Setting up group access bindings
      • Granting group permissions
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for service accounts
      • Creating static access keys
      • Deleting static access keys
      • Getting the service account ID
      • Deleting a service account
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
      • Deleting authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • Identity federations
    • Quotas and limits
  • How to use Yandex Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
        • createForServiceAccount
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • AccessKey
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
      • Federation
        • Overview
        • list
        • get
        • listUserAccounts
        • delete
        • addUserAccounts
        • update
        • listOperations
        • create
      • Certificate
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on one page
  1. Concepts
  2. Authorization
  3. IAM token

IAM token

Written by
Yandex Cloud
  • Using the token
  • The lifetime
  • Services that support this authentication method
  • Token representation

An IAM token is a unique sequence of characters issued to a user after authentication. The user needs this token for authorization in the Yandex Cloud API and access to resources.

Using the token

Specify the received IAM token when accessing Yandex Cloud resources via the API. Pass the IAM token in the Authorization header in the following format:

Authorization: Bearer <IAM token>

In the management console and the command line interface (CLI), the token is obtained and used without the user needing to do anything.

The lifetime

IAM tokens are valid for a maximum of 12 hours. A token's lifetime is specified in a response from the service that returns the token. For example, the VM metadata service.

To avoid a situation when your token has expired and you don't have a new token yet, request it beforehand.

If you generate a new IAM token, the previous one continues to be valid until its lifetime expires.

If a token is created using cookies (for example, under federated authentication), its lifetime is limited to that of the cookies. If the cookies are revoked (for example, when the user logs out), all the tokens generated for the cookies are canceled.

Recommendations for managing the lifetime of a token:

  • Don't use a token for more than 10% of its lifetime. For instance, if your token is valid for 12 hours, request a new one in about an hour.
  • It is not a good practice to request a new token too often. Don't request a new token for each operation.

The IAM API may return the same token in response to different requests if it's still a long time before it expires.

Services that support this authentication method

This authentication method is supported by all services, except for those with AWS-compatible APIs (they only need an IAM token for managing access keys and service accounts).

Token representation

The following regular expression describes a token:

t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2}

Use regular expressions carefully because the service may update the token format in the future. The update might appear in the documentation with a delay.

Tip

Updating the token format involves changing its prefix to a value different from t1..

Sample token:

t1.7euelSbPyceKx87JqpuRl1qZiY-Ryi3rnpWaksrKaZqUppnLncmDnpeajZvl8_dZNAFl-e8ENXMH_t3z9xljfmT57wQ1cwf-.-LErty1vRh4S__VEp-aDnM5huB5MEfm_Iu1u2IzNgyrn0emiWDYA6rSQXDvzjE0O3HBbUlqoDeCmXYYInzZ6Cg

See also

  • Getting an IAM token for a Yandex account
  • Getting an IAM token for a service account
  • Getting an IAM token for a federated account
  • Working with Yandex Cloud from inside a VM
  • Using functions to get an IAM token for a service account
  • Authorization in Yandex Cloud

Was the article helpful?

Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
In this article:
  • Using the token
  • The lifetime
  • Services that support this authentication method
  • Token representation