Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Cloud Functions
  • Comparison with other Yandex Cloud services
  • Getting started
    • Overview
    • Creating a function
      • Overview
      • Node.js
      • Python
      • Go
      • PHP
      • Bash
      • Java
  • Step-by-step instructions
    • All instructions
    • Using functions to get an IAM token for a service account
    • Connecting to managed databases from functions
    • Getting information about a function
      • Getting a list of functions
      • Getting a list of function versions
      • Getting information about a function
      • Getting information about a function version
    • Managing rights to access functions
      • Making a function public
      • Making a function private
      • Viewing roles assigned to a function
      • Assigning roles to a function
      • Revoking roles assigned to a function
    • Creating a function
      • Creating a function
      • Creating a function version
    • Invoking a function
      • Invoking a function
      • Authenticating when invoking a private function via HTTPS
    • Managing functions
      • Updating a function
        • Updating a name
        • Updating a description
      • Scaling a function
        • Viewing scaling settings
        • Adding scaling settings
        • Deleting scaling settings
      • Adding environment variables
      • Specifying a cloud network
      • Transmitting Yandex Lockbox secrets
      • Managing tags
        • Adding a tag
        • Removing a tag
      • Managing labels
        • Adding a label
        • Updating a label
        • Deleting a label
      • Viewing monitoring charts
      • Managing logs
        • Viewing logs
        • Writing logs
      • Deleting a function
    • Getting information about a trigger
      • Getting a list of triggers
      • Getting information about a trigger
    • Creating a trigger
      • Create a timer
      • Creating a trigger for Message Queue
      • Creating a trigger for Object Storage
      • Creating a trigger for Container Registry
      • Creating a trigger for Cloud Logs
      • Creating a trigger for Cloud Logging
      • Creating a trigger for Yandex IoT Core
      • Creating a trigger for budgets
      • Creating a trigger for Data Streams
      • Creating an email trigger
    • Managing triggers
      • Updating a trigger
        • Updating a name
        • Updating a description
      • Managing labels
        • Adding a label
        • Updating a label
        • Deleting a label
      • Viewing monitoring charts
      • Deleting a trigger
  • Concepts
    • Overview
    • Function
    • Invoking a function
    • Networking
    • Runtime environment
      • Overview
      • Environment
      • Execution context
      • Preloaded runtime environment
    • Builder
    • Trigger
      • Overview
      • Timer
      • Trigger for Message Queue
      • Trigger for Object Storage
      • Trigger for Container Registry
      • Trigger for Cloud Logs
      • Trigger for Cloud Logging
      • Trigger for Yandex IoT Core
      • Trigger for budgets
      • Trigger for Data Streams
      • Email trigger
    • Dead Letter Queue
    • Function logs
    • Backups
    • Quotas and limits
  • Developing in Node.js
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in Python
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in Go
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in PHP
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
  • Developing in Bash
    • Overview
    • Request handler
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in Java
    • Overview
    • Programming model
      • Overview
      • Function interface
      • YcFunction interface
      • HttpServlet class
      • Spring Boot
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in R
    • Overview
    • Programming model
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
  • Developing in C#
    • Overview
    • Programming model
      • Overview
      • Function interface
      • YcFunction interface
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Practical guidelines
    • All practical guidelines
    • Creating skills for Alice
    • Deploying a web application
    • Developing a skill for Alice and a website with authorization
    • Writing data from a device to Managed Service for PostgreSQL
    • Developing a Slack bot
    • Developing a Telegram bot
    • Connecting to a YDB database from a Python function
    • Connecting to a YDB database from a function in Node.js
    • Converting a video to a GIF in Python
    • Creating a Node.js function using TypeScript
    • Developing user integration
    • Creating a trigger for budgets that invokes a function to stop VM instances
  • Pricing policy
  • Access management
  • API Functions reference
    • Authentication in the API
    • gRPC
      • Overview
      • FunctionService
      • OperationService
    • REST
      • Overview
      • Function
        • Overview
        • create
        • createVersion
        • delete
        • get
        • getVersion
        • getVersionByTag
        • list
        • listAccessBindings
        • listOperations
        • listRuntimes
        • listScalingPolicies
        • listTagHistory
        • listVersions
        • removeScalingPolicy
        • removeTag
        • setAccessBindings
        • setScalingPolicy
        • setTag
        • update
        • updateAccessBindings
  • API Triggers reference
    • Authentication in the API
    • gRPC
      • Overview
      • TriggerService
      • OperationService
    • REST
      • Overview
      • Trigger
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • pause
        • resume
        • update
  • Questions and answers
  1. Step-by-step instructions
  2. Using functions to get an IAM token for a service account

Using functions to get an IAM token for a service account

Written by
Yandex Cloud

    If the function version was created with a service account, you can get an IAM token for it from:

    • The handler context. The IAM token is in the access_token field of the context parameter.
    • The metadata service in Google Compute Engine via the API.

    To get an IAM token:

    1. Create a function.

    2. Select the programming language and create a version of the function:

      Node.js
      Python
      1. Prepare a ZIP archive with the function code:
        1. Save the following code to a file named index.js to get the IAM token:
          • From the handler context.
            exports.main = async function (event, context) {
                return {
                    'statusCode': 200,
                    'headers': {
                        'Content-Type': 'text/plain'
                    },
                    'isBase64Encoded': false,
                    'body': context.token
                }
            };
            
          • Using the API.
            const fetch = require("node-fetch");
            let url = 'http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token';
            let headers = {'Metadata-Flavor': 'Google'};
            
            exports.main = async function (event) {
                const resp = await fetch(url, {
                    headers: headers,
                });
                return {
                    code: resp.status,
                    body: await resp.text()
                };
            };
            
        2. If you get your IAM token using the API, save the following code to a file named package.json:
          {
              "name": "my-app",
              "dependencies": {
                  "node-fetch": "2.x"
              }
          }
          
        3. Add index.js and package.json (if you get your IAM token using the API) to a ZIP file called index-js.zip.
      2. Create a function version. Indicate the following:
        • Runtime environment: nodejs16.
        • Code upload method: ZIP archive.
        • File: index-js.zip.
        • Entry point: index.main.
        • The service account to get the IAM token for.
      1. Prepare a ZIP archive with the function code:
        1. Save the following code to a file named index.py to get the IAM token:
          • From the handler context.
            def main(event, context):
            
                return {
                    'statusCode': 200,
                    'headers': {
                        'Content-Type': 'text/plain'
                    },
                    'isBase64Encoded': False,
                    'body': context.token
                }
            
          • Using the API.
            import requests
            
            url = 'http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token'
            headers = {'Metadata-Flavor': 'Google'}
            
            
            def main(event, context):
            
                resp = requests.get(url, headers=headers)
            
                return {
                    'statusCode': 200,
                    'headers': {
                        'Content-Type': 'text/plain'
                    },
                    'isBase64Encoded': False,
                    'body': resp.content.decode('UTF-8')
                }
            
        2. Add index.py to the index-py.zip archive.
      2. Create a function version. Indicate the following:
        • Runtime environment: python37.
        • Code upload method: ZIP archive.
        • File: index-py.zip.
        • Entry point: index.main.
        • The service account to get the IAM token for.
    3. Run the function.

      The function response looks like this:

      {
          "access_token": "CggVAgAAABoBMRKABHGgpZ......",
          "expires_in": 42299,
          "token_type": "Bearer"
      }
      

    Was the article helpful?

    Language / Region
    Yandex project
    © 2023 Yandex.Cloud LLC