Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for a service account
      • Creating static access keys
      • Getting the service account ID
      • Deleting service accounts
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • Identity federations
    • Quotas and limits
  • How to use Yandex Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
        • createForServiceAccount
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • AccessKey
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
      • Federation
        • Overview
        • list
        • get
        • listUserAccounts
        • delete
        • addUserAccounts
        • update
        • listOperations
        • create
      • Certificate
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on the same page
  1. Concepts
  2. Authorization
  3. Overview

Authorization in Yandex Cloud

Written by
Yandex Cloud
  • Authentication in Yandex Cloud
    • Authentication using a Yandex account
    • Service account authentication
    • Federated user authentication

When a user does something with a resource in Yandex Cloud, IAM checks whether the user has the necessary access rights to perform this operation.

Users get permissions along with resource roles. For more information about how roles are assigned and how the list of permissions is checked, see How access management works in Yandex Cloud.

Authentication in Yandex Cloud

Before authorization, a user must get authenticated, meaning they must log in under their account. Authentication is performed in different ways, depending on the type of account and the interface used:

  • Authentication using a Yandex account
  • Service account authentication
  • Federated user authentication

Authentication using a Yandex account

Management console
CLI
API

Authentication is carried out automatically when you log in to your Yandex or Yandex 360 account.

To perform operations in the CLI, authenticate following the instructions. After this, authentication will work automatically.

Alert

If you are the owner of the cloud and you use your own account to access the API, remember that the owner of the cloud can perform any operations with cloud resources.

We recommend using a service account to work with the API. This way, you can assign only the roles that are necessary.

To perform operations in the API:

  1. Get an IAM token in exchange for your OAuth token.

  2. Specify the received IAM token when accessing Yandex Cloud resources via the API. Pass the IAM token in the Authorization header in the following format:

    Authorization: Bearer <IAM token>
    

    The IAM token lifetime doesn't exceed 12 hours, but we recommend requesting the token more often, like once per hour.

Service account authentication

CLI
API

To perform operations in the CLI, authenticate following the instructions. After this, authentication will work automatically.

There are three ways to perform operations on behalf of a service account:

  • Using an IAM token.

    This is the recommended authentication method, but IAM tokens have a short lifetime. Therefore, such a method is good for applications that will request the IAM token automatically.

    Instructions for how to get an IAM token.

  • Using API keys.

    API keys do not expire. This means that this authentication method is simpler, but less secure. Use it if you can't automatically request an IAM token.

    Instructions for how to get an API key.

  • Using static access keys. This method should be used in services with an AWS-compatible API, such as Object Storage and Message Queue.

    Instructions for how to get a static access key.

Federated user authentication

Management console
CLI

To log in to the management console, federated users must follow the link with the federation ID:

https://console.cloud.yandex.com/federations/<federation ID>

The authentication process for a federated user depends on the IdP server settings. For more information, see SAML-compatible identity federations.

To perform operations in the CLI, authenticate following the instructions.

On successful authentication on the federation server, the IAM token is saved in the profile. This token is used to authenticate each operation until the token expires. After that, the CLI again displays a prompt to authenticate in the browser.

See also

Accounts in Yandex Cloud

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • Authentication in Yandex Cloud
  • Authentication using a Yandex account
  • Service account authentication
  • Federated user authentication