Contact UsGet started

Getting an IAM token for a Yandex account

Written by
Updated at March 28, 2025

You can get an IAM token for your Yandex account in two ways:

  • Using the CLI (recommended). This is the most secure method. To get an IAM token, you need to install the YC CLI.
  • Using an OAuth token. This method is the simplest. Get an OAuth token, which every Yandex account has, and exchange it for an IAM-token using any HTTP client you like, e.g., cURL or PowerShell.

Note

The IAM token lifetime does not exceed 12 hours; however, we recommend requesting it more often, such as once per hour.

Getting an IAM token using the YC CLI

If you do not have the Yandex Cloud CLI yet, install and initialize it.

Get an IAM token:

yc iam create-token

Example of using an IAM token obtained through the CLI

Sending a request to get a list of clouds using an IAM token:

  1. Get an IAM token and write it to the variable:

    export IAM_TOKEN=`yc iam create-token`

  2. Send a request to get a list of clouds:

    curl \
  --request GET \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds

  3. Result:

    {
"clouds": [
  {
  "id": "b1gia87mbaom********",
  "createdAt": "2019-08-19T06:15:54Z",
  "name": "my-cloud-1",
  "organizationId": "my-organization"
  },
  {
  "id": "b1gue7m154kt********",
  "createdAt": "2022-08-29T13:27:03Z",
  "name": "my-cloud-2",
  "organizationId": "my-organization"
  }
]
}

  1. Get an IAM token and write it to the variable:

    $IAM_TOKEN=yc iam create-token

  2. Send a request to get a list of clouds:

    curl.exe ` 
  --request GET ` 
  --header "Authorization: Bearer $IAM_TOKEN" ` 
  https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds

  3. Result:

    {
"clouds": [
  {
  "id": "b1gia87mbaom********",
  "createdAt": "2019-08-19T06:15:54Z",
  "name": "my-cloud-1",
  "organizationId": "my-organization"
  },
  {
  "id": "b1gue7m154kt********",
  "createdAt": "2022-08-29T13:27:03Z",
  "name": "my-cloud-2",
  "organizationId": "my-organization"
  }
]
}

Getting and exchanging an OAuth token for an IAM token

Alert

If you are the owner of the cloud and you use your own account to access the API, remember that the owner of the cloud can perform any operations with cloud resources.

We recommend using a service account to work with the API. This way, you can assign only the roles that are necessary.

  1. Log in to your Yandex account.

  2. Get an OAuth token from Yandex.OAuth. To do this, follow this link, click Allow, and copy the OAuth token you got.

  3. Exchange the OAuth token for an IAM token:

    curl \
  --request POST \
  --data '{"yandexPassportOauthToken":"<OAuth_token>"}' \
  https://iam.api.cloud.yandex.net/iam/v1/tokens

    $yandexPassportOauthToken = "<OAuth_token>"
$Body = @{ yandexPassportOauthToken = "$yandexPassportOauthToken" } | ConvertTo-Json -Compress
Invoke-RestMethod -Method 'POST' -Uri 'https://iam.api.cloud.yandex.net/iam/v1/tokens' -Body $Body -ContentType 'Application/json' | Select-Object -ExpandProperty iamToken

Specify the received IAM token when accessing Yandex Cloud resources via the API. Provide the IAM token in the Authorization header in the following format:

Authorization: Bearer <IAM_token>

See also

Previous
Revoking a role
Next
Getting an IAM token for a service account