How to choose the appropriate authentication method in Yandex Cloud
Users and service accounts get permissions to perform actions with Yandex Cloud resources along with roles for these resources. Identity and Access Management verifies the required permissions when a user or service account runs an operation on a Yandex Cloud resource.
For more information about assigning roles and verifying the list of permissions, see How access management works in Yandex Cloud.
Use the appropriate credential type for authentication:
-
IAM token is the recommended and most secure type. It is suitable for most operations, such as creating a VM. It is not suitable for services with AWS-compatible APIs.
For federated users, you can set up automatic IAM token renewal using refresh tokens. This allows your organization's federated users to access Yandex Cloud CLI without re-authenticating in the browser when their IAM token expires.
-
API key is used for services that do not support authentication with IAM tokens. You can limit the API key by validity period and scope.
-
Static access key is suitable for authentication in services with an AWS-compatible API, such as Yandex Object Storage and Yandex Managed Service for YDB. From a static key, you can create a temporary access key for Object Storage buckets.
-
Authorized key is used in cases where you need to control all stages of issuing an IAM token. You may need it when obtaining an IAM token for a service account. Authorized keys are used for authentication only by applications form Yandex Cloud Marketplace.
-
OAuth token is used to obtain an IAM token on behalf of a user with a Yandex account.
-
ID token is used to for Yandex Cloud service account authentication in third-party systems with OIDC support. It is not suitable for authentication within Yandex Cloud.
-
Cookie is only used for service purposes.