IAM token
An IAM token is a unique sequence of characters issued to a user after authentication. This is the preferred authentication method for both users and applications (using service accounts). You can get an IAM token using the CLI or API.
IAM token authentication is supported by all services except those with AWS-compatible APIs and services that support API key authentication.
Using the token
IAM tokens are used for authentication in Yandex Cloud services. IAM tokens are issued for Yandex accounts, service accounts, and federated accounts.
IAM tokens also serve to authenticate Docker and Helm clients in Yandex Container Registry.
If you are using the management console or the command line interface (CLI), you do not need to do anything to get or use a token.
You can use IAM tokens for authentication when making API calls to Yandex Cloud services. When accessing Yandex Cloud resources through the API, specify the IAM token you got in the Authorization header in the following format:
Authorization: Bearer <IAM_token>
To work with Terraform, add an IAM token to environment variables or specify it in the provider configuration file:
provider "yandex" {
token = "<IAM_token>"
}
Lifetime
IAM tokens are valid for a maximum of 12 hours. A token's lifetime is specified in a response from the service that returns the token, e.g., the VM metadata service.
To avoid situations when your token has expired and you do not have a new token yet, request it beforehand.
If you generate a new IAM token, the previous one continues to be valid until its lifetime ends or you revoke it.
If a token is created using cookies (for example, under federated authentication), its lifetime is limited to that of the cookies. If the cookies are revoked (for example, when the user logs out), all the tokens generated for the cookies are canceled.
The IAM API may return the same token in response to different requests if it is still a long time before it expires.
IAM token revocation
If your IAM token has been compromised, or you want to terminate your old IAM token when issuing a new one for security reasons, you can revoke the token before its lifetime expires.
Any authenticated user can revoke an IAM token using the CLI or API.
Token representation
The following regular expression describes a token:
t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2}
Use regular expressions carefully because the service may update the token format in the future. The update might appear in the documentation with a delay.
Tip
Updating the token format involves changing its prefix to a value different from t1..
Sample token:
t1.7euelSbPyceKx87JqpuRl1qZiY-Ryi3rnpWaksrKaZqUppnLncmDnpeajZvl8_dZNAFl-e8ENXMH_t3z9xljfmT57wQ1cwf-.-LErty1vRh4S__VEp-aDnM5huB5MEfm_Iu1u2IzNgyrn0emiWDYA6rSQXDvzjE0O3HBbUlqoDeCmXYYInzZ6Cg
Use cases
- Getting the Yandex Lockbox secret value on the Kubernetes side
- Using Yandex Object Storage in Yandex Data Processing
- Creating an interactive serverless application using WebSocket
See also
- Getting an IAM token for a Yandex account
- Getting an IAM token for a service account
- Getting an IAM token for a federated account
- Using Yandex Cloud from within a VM
- Using functions to get an IAM token for a service account
- How to choose the appropriate authentication method in Yandex Cloud
- Revoking an IAM token