Authorization and authentication in Yandex Cloud
When a user does something with a resource in Yandex Cloud, IAM checks whether the user has the access rights required to perform this operation.
Users get permissions along with resource roles. For more information about how roles are assigned and how the list of permissions is checked, see How access management works in Yandex Cloud.
Authentication in Yandex Cloud
Before authorization, a user must get authenticated, i.e., they must log in using their account. Authentication is performed in different ways depending on the type of account and the interface used:
Authentication using a Yandex Cloud account
You are automatically authenticated when logging in to your Yandex or Yandex 360 account.
To perform operations in the CLI, authenticate by following this guide. After this, authentication will work automatically.
Alert
If you are the owner of the cloud and you use your own account to access the API, remember that the owner of the cloud can perform any operations with cloud resources.
We recommend using a service account to work with the API. This way, you can assign only the roles that are necessary.
To perform operations in the API:
-
Get an IAM token in exchange for your OAuth token.
-
Specify the received IAM token when accessing Yandex Cloud resources via the API. Provide the IAM token in the
Authorization
header in the following format:Authorization: Bearer <IAM_token>
The IAM token lifetime does not exceed 12 hours; however, we recommend requesting it more often, such as once per hour.
Service account authentication
To perform operations in the CLI, authenticate by following this guide. After this, authentication will work automatically.
There are three ways to perform operations on behalf of a service account:
-
Using an IAM token:
This is the recommended authentication method, but IAM tokens have a short lifetime. That's why this is a good method for applications that automatically request an IAM token.
-
With API keys.
Use API keys if requesting an IAM token automatically is not an option.
-
Using static access keys. This method should be used in services with an AWS-compatible API, such as Object Storage and Message Queue.
Federated user authentication
To log in to the management console, federated users must follow the link with the federation ID:
https://console.yandex.cloud/federations/<federation_ID>
The authentication process for a federated user depends on the IdP server settings. For more information, see SAML-compatible identity federations.
To perform operations in the CLI, authenticate by following this guide.
On successful authentication, the IAM token is saved in the profile. This token is used to authenticate each operation until the token expires. After that, the CLI again displays a prompt to authenticate in the browser.