Service account ID token

An ID token is a unique short-lived token issued for a service account and enabling it to authenticate with external systems that support OIDC authentication.

An ID token is generated by Yandex Cloud and used to get an access token in an external system. An ID token is valid for one hour. You cannot use an ID token for authentication when accessing the Yandex Cloud API.

ID token format

An ID token is a JSON web token (JWT) consisting of three parts separated by a dot, e.g., <header>.<body>.<signature>.

The ID token header includes the following attributes:

• kid: ID of the public signature key for token signature verification.
• alg: Signature algorithm.

The ID token body includes the following attributes:

• iss: URL of the Yandex Cloud OIDC provider, https://auth.cloud.yandex.com.
• sub: Service account ID provided in the subject-id parameter when creating the ID token.
• aud: Token target resource. Provide it in the audience parameter when creating the ID token. If left unspecified when creating the token, this value defaults to the service account ID from subject-id.
• exp: Token expiration time in Unix Time format. An ID token expires one hour after creation.
• iat: Token issue time in Unix Time format.
• jti: Unique ID token identifier that prevents the token reuse.

The ID token signature allows you to make sure the token has not been modified. To verify the signature, you need a public key. To get a public key in Yandex Cloud, use the ID from the kid field of the token header.

To get an ID token for a service account, use the Yandex Cloud CLI.