Contact UsGet started

Authenticating as a federated user

Written by
Updated at April 10, 2025

You can use a federated account to work with Yandex Cloud if your company has an identity federation set up. In this case, no personal Yandex account is required.

Note

To authenticate on a server with no GUI, you need to install a browser with X11 forwarding set up. With X11 forwarding, you can use your browser on the server over SSH. For SSH clients running on Linux, this feature is available by default. For Windows clients, you can use Xming.

See also Example of authenticating to a Linux VM without GUI.

If you cannot install a browser, use a service account instead of a federated account.

If you do not have the Yandex Cloud CLI yet, install it.

To authenticate using a SAML-compatible identity federation:

  1. Get your federation ID from your administrator.

  2. Launch the profile creation wizard:

    yc init \
   --federation-endpoint auth.cloud.yandex.com \
   --federation-id <federation_ID>

  3. Select the profile you want to set up authentication for or create a new one.

    Welcome! This command will take you through the configuration process.
Pick desired action:
[1] Re-initialize this profile 'default' with new settings
[2] Create a new profile

  4. The CLI prompts you to continue authentication in the browser. Press Enter to continue.

    You are going to be authenticated via federation-id 'aje1f0hsgds3a********'.
Your federation authentication web site will be opened.
After your successful authentication, you will be redirected to 'https://console.yandex.cloud'.

Press 'enter' to continue...

    On successful authentication, the IAM token is saved in the profile. This token is used to authenticate each operation until the token expires. After that, the CLI again displays a prompt to authenticate in the browser.

  5. Go back to the command line interface to finish creating the profile.

  6. Select one of the clouds from the list of those you have access to:

    Please select cloud to use:
 [1] cloud1 (id = aoe2bmdcvata********)
 [2] cloud2 (id = dcvatao4faoe********)
Please enter your numeric choice: 2

    If there is only one cloud available, it will be selected automatically.

  7. Select the default folder:

    Please choose a folder to use:
 [1] folder1 (id = cvatao4faoe2********)
 [2] folder2 (id = tao4faoe2cva********)
 [3] Create a new folder
Please enter your numeric choice: 1

  8. To select the default availability zone for Compute Cloud, type Y. To skip the setup, type n.

    Do you want to configure a default Yandex Compute Cloud availability zone? [Y/n] Y

    If you typed Y, select the availability zone:

    Which zone do you want to use as a profile default?
 [1] ru-central1-a
 [2] ru-central1-b
 [3] ru-central1-d
 [4] Do not set default zone
Please enter your numeric choice: 2

  9. View your CLI profile settings:

    yc config list

    Result:

    federation-id: aje1f0hs6oja********
cloud-id: b1g159pa15cd********
folder-id: b1g8o9jbt58********
compute-default-zone: ru-central1-b

Example of authenticating to a Linux VM without GUI

To authenticate to a Linux VM, follow these steps:

  1. Connect to the VM over SSH.

  2. Install the CLI.

  3. On your VM, create a file named /usr/local/bin/xdg-open with the following contents:

    #!/bin/sh
echo $* > /dev/tty

  4. Assign permissions to execute the file:

    sudo chmod +x /usr/local/bin/xdg-open

  5. Run this CLI command to create a profile:

    yc init --federation-id=<federation_ID>

  6. Select the profile you want to set up authentication for or create a new one:

    Welcome! This command will take you through the configuration process.
Pick desired action:
[1] Re-initialize this profile 'default' with new settings
[2] Create a new profile

  7. The CLI prompts you to continue authentication in the browser. Press Enter to continue:

    You are going to be authenticated via federation-id 'aje1f0hsgds3a********'.
Your federation authentication web site will be opened.
After your successful authentication, you will be redirected to 'https://console.yandex.cloud'.

Press 'enter' to continue...

  8. Once you press Enter, you will get a URL that looks like this:

    https://auth.yandex.cloud/oauth/authorize?client_id=yc.oauth.public-sdk&code_challenge=y22kspX4VrKLmdg9hGr_Bwgte_a3RXtw1En********&code_challenge_method=S256&redirect_uri=http%3A%2F%2F127.0.0.1%3A42121%2Fauth%2Fcallback&response_type=code&scope=openid&state=aExf0z********&yc_federation_hint=federation-id

    Save this URL. You will need it for browser authentication. You will also need the port which you can find in the redirect_uri query parameter following the 127.0.0.1 IP address. In our example, it is 42121.

  9. On your local computer, open a new terminal window and run the command to set up an SSH tunnel, specifying the port obtained in the previous step, username, and VM IP address:

    ssh -L <port>:127.0.0.1:<port> <username>@<VM_IP_address>

  10. Use your local computer's browser to open the authentication URL you got earlier.

  11. Upon successful authentication, the pending CLI command within the VM SSH session will display the next profile configuration step.

  12. Complete the CLI configuration.

Previous
Authenticating as a service account
Next
Creating a profile