Getting a service account ID token

Written by

Updated at March 28, 2025

To use Yandex Identity and Access Management for authentication in an external system with OIDC authentication support, you need to get an ID token. You can only get an ID token for a service account.

To get an ID token:

CLI

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

View the description of the command for creating an ID token:
```
yc iam create-id-token --help
```

Get the ID of the service account to use for authentication in the external system:

yc iam service-account list

Result:

+----------------------+--------------+--------+---------------------+-----------------------+
|          ID          |     NAME     | LABELS |     CREATED AT      | LAST AUTHENTICATED AT |
+----------------------+--------------+--------+---------------------+-----------------------+
| ajeg2b2et02f******** | my-robot     |        | 2024-09-08 18:59:45 | 2025-02-18 10:10:00   |
| ajegtlf2q28a******** | account-name |        | 2023-06-27 16:18:18 | 2025-02-18 10:20:00   |
+----------------------+--------------+--------+---------------------+-----------------------+

Get an ID token for the service account:
```
yc iam create-id-token \
  --subject-id <service_account_ID> \
  --audience <resource>
```
Where:
- --subject-id: ID of the service account to create an ID token for.
- --audience: Target resource for the token. This is an optional parameter. If left unspecified, this value defaults to the service account ID specified in the subject-id parameter.
In response, the command will output the body of the created service account ID token to the standard output stream (STDOUT).

Getting a service account ID token

Was the article helpful?