Getting a service account ID token
To use Yandex Identity and Access Management for authentication in an external system with OIDC
To get an ID token:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name
or --folder-id
parameter.
-
View the description of the command for creating an ID token:
yc iam create-id-token --help
-
Get the ID of the service account to use for authentication in the external system:
yc iam service-account list
Result:
+----------------------+--------------+--------+---------------------+-----------------------+ | ID | NAME | LABELS | CREATED AT | LAST AUTHENTICATED AT | +----------------------+--------------+--------+---------------------+-----------------------+ | ajeg2b2et02f******** | my-robot | | 2024-09-08 18:59:45 | 2025-02-18 10:10:00 | | ajegtlf2q28a******** | account-name | | 2023-06-27 16:18:18 | 2025-02-18 10:20:00 | +----------------------+--------------+--------+---------------------+-----------------------+
-
Get an ID token for the service account:
yc iam create-id-token \ --subject-id <service_account_ID> \ --audience <resource>
Where:
--subject-id
: ID of the service account to create an ID token for.--audience
: Target resource for the token. This is an optional parameter. If left unspecified, this value defaults to the service account ID specified in thesubject-id
parameter.
In response, the command will output the body of the created service account ID token to the standard output stream (
STDOUT
).