Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Authenticating as a federated user

Written by
Updated at October 1, 2024

You can use a federated account to work with Yandex Cloud if your company has an identity federation set up. In this case, no personal Yandex account is required.

Note

To authenticate on a server with no GUI, you need to install a browser with X11 forwarding set up. With X11 forwarding, you can use your browser on the server over SSH. For SSH clients running on Linux, this feature is available by default. For Windows clients, you can use Xming.

If you cannot install a browser, use a service account instead of a federated account.

If you do not have the Yandex Cloud command line interface, install it.

To authenticate using a SAML-compatible identity federation:

  1. Get your federation ID from your administrator.

  2. Launch the profile creation wizard:

    yc init \
   --federation-endpoint auth.cloud.yandex.com \
   --federation-id <federation_ID>

  3. Select the profile you want to set up authentication for or create a new one.

    Welcome! This command will take you through the configuration process.
Pick desired action:
[1] Re-initialize this profile 'default' with new settings
[2] Create a new profile

  4. The CLI prompts you to continue authentication in the browser. Press Enter to continue.

    You are going to be authenticated via federation-id 'aje1f0hsgds3a********'.
Your federation authentication web site will be opened.
After your successful authentication, you will be redirected to 'https://console.yandex.cloud'.

Press 'enter' to continue...

    On successful authentication, the IAM token is saved in the profile. This token is used to authenticate each operation until the token expires. After that, the CLI again displays a prompt to authenticate in the browser.

  5. Go back to the command line interface to finish creating the profile.

  6. Select one of the clouds from the list of those you have access to:

    Please select cloud to use:
 [1] cloud1 (id = aoe2bmdcvata********)
 [2] cloud2 (id = dcvatao4faoe********)
Please enter your numeric choice: 2

    If there is only one cloud available, it will be selected automatically.

  7. Select the default folder:

    Please choose a folder to use:
 [1] folder1 (id = cvatao4faoe2********)
 [2] folder2 (id = tao4faoe2cva********)
 [3] Create a new folder
Please enter your numeric choice: 1

  8. To select the default availability zone for Compute Cloud, type Y. To skip the setup, type n.

    Do you want to configure a default Yandex Compute Cloud availability zone? [Y/n] Y

    If you typed Y, select the availability zone:

    Which zone do you want to use as a profile default?
 [1] ru-central1-a
 [2] ru-central1-b
 [3] ru-central1-c
 [4] ru-central1-d
 [5] Do not set default zone
Please enter your numeric choice: 2

  9. View your CLI profile settings:

    yc config list

    Result:

    federation-id: aje1f0hs6oja********
cloud-id: b1g159pa15cd********
folder-id: b1g8o9jbt58********
compute-default-zone: ru-central1-b
Previous
Authenticating as a service account
Next
Creating a profile