Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Identity and Access Management
    • Overview
      • How to choose the correct authentication method
      • IAM token
      • API key
      • Static access key
      • Security Token Service
      • Authorized key
      • OAuth_token
      • ID token
      • Cookie
      • Refresh token
    • Service access to user resources
    • Identity federations
    • Workload identity federations
    • Quotas and limits
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Using the token
  • Lifetime
  • IAM token revocation
  • Token representation
  • Use cases
  1. Concepts
  2. Authentication
  3. IAM token

IAM token

Written by
Yandex Cloud
Updated at May 27, 2025
  • Using the token
  • Lifetime
  • IAM token revocation
  • Token representation
  • Use cases

An IAM token is a unique sequence of characters issued to a user after authentication. This is the preferred authentication method for both users and applications (using service accounts). You can get an IAM token using the CLI or API.

IAM token authentication is supported by all services except those with AWS-compatible APIs and services that support API key authentication.

Using the tokenUsing the token

IAM tokens are used for authentication in Yandex Cloud services. IAM tokens are issued for Yandex accounts, service accounts, and federated accounts.

IAM tokens also serve to authenticate Docker and Helm clients in Yandex Container Registry.

If you are using the management console or the command line interface (CLI), you do not need to do anything to get or use a token.

You can use IAM tokens for authentication when making API calls to Yandex Cloud services. When accessing Yandex Cloud resources through the API, specify the IAM token you got in the Authorization header in the following format:

Authorization: Bearer <IAM_token>

To work with Terraform, add an IAM token to environment variables or specify it in the provider configuration file:

provider "yandex" {
  token = "<IAM_token>"
}

LifetimeLifetime

IAM tokens are valid for a maximum of 12 hours. A token's lifetime is specified in a response from the service that returns the token, e.g., the VM metadata service.

To avoid situations when your token has expired and you do not have a new token yet, request it beforehand.

If you generate a new IAM token, the previous one continues to be valid until its lifetime ends or you revoke it.

If a token is created using cookies (for example, under federated authentication), its lifetime is limited to that of the cookies. If the cookies are revoked (for example, when the user logs out), all the tokens generated for the cookies are canceled.

The IAM API may return the same token in response to different requests if it is still a long time before it expires.

IAM token revocationIAM token revocation

If your IAM token has been compromised, or you want to terminate your old IAM token when issuing a new one for security reasons, you can revoke the token before its lifetime expires.

Any authenticated user can revoke an IAM token using the CLI or API.

Token representationToken representation

The following regular expression describes a token:

t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2}

Use regular expressions carefully because the service may update the token format in the future. The update might appear in the documentation with a delay.

Tip

Updating the token format involves changing its prefix to a value different from t1..

Sample token:

t1.7euelSbPyceKx87JqpuRl1qZiY-Ryi3rnpWaksrKaZqUppnLncmDnpeajZvl8_dZNAFl-e8ENXMH_t3z9xljfmT57wQ1cwf-.-LErty1vRh4S__VEp-aDnM5huB5MEfm_Iu1u2IzNgyrn0emiWDYA6rSQXDvzjE0O3HBbUlqoDeCmXYYInzZ6Cg

Use casesUse cases

  • Getting the Yandex Lockbox secret value on the Kubernetes side
  • Using Yandex Object Storage in Yandex Data Processing
  • Creating an interactive serverless application using WebSocket

See alsoSee also

  • Getting an IAM token for a Yandex account
  • Getting an IAM token for a service account
  • Getting an IAM token for a federated account
  • Using Yandex Cloud from within a VM
  • Using functions to get an IAM token for a service account
  • How to choose the appropriate authentication method in Yandex Cloud
  • Revoking an IAM token

Was the article helpful?

Previous
How to choose the correct authentication method
Next
API key
Yandex project
© 2025 Yandex.Cloud LLC