API key
The API key is a secret key only used for simplified authorization of service accounts with the Yandex Cloud API.
Use API keys if requesting an IAM token automatically is not an option.
Alert
If someone might have gotten access to your private key, delete it and create a new one.
It is the user's responsibility to store the API key. Yandex Cloud provides access to an API key only during its creation. If the key is lost or damaged, you cannot restore it. In which case you can reissue the key or create a new one.
To ensure security and control over access to resources, monitor cases of unauthorized use of keys, and delete unused keys without the risk of disrupting Yandex Cloud services, you can track the dates of last use of service account access keys. You can find this info on the service account page in the management consolelast_used_at
field when using the API to invoke access key management methods.
API keys with scope and validity limits
You can create API keys with an expiration date and a limited scope.
A scope is the total of the actions a service account is allowed to perform with the service's resources. A service can have more than one scope. You cannot use an API key with a specified scope in other services or scopes.
The scope limits the use of API keys along with the user's personal access permissions. Configuring scope limits and expiration dates will reduce the risk of unauthorized use of your keys.
Alert
If you do not select a scope, the API key will allow authentication in all services except those that support scope restriction. In the future, all services supporting API key authentication will have scopes of their own.
Available scopes are listed below:
yc.ydb.topics.manage
: For accessing the Kafka API in Yandex Data Streams.yc.ydb.tables.manage
: For accessing YDB in PostgreSQL-compatible mode.
Using an API key
Enter your API key when accessing Yandex Cloud resources via the API. Provide the API key in the Authorization
header in the following format:
Authorization: Api-Key <API_key>
Services that support this authentication method
The following services support authentication based on API keys:
- Yandex Cloud Functions
- Yandex DataSphere
- Yandex Monitoring
- Yandex Search API
- Yandex Serverless Containers
- Yandex SpeechKit
- Yandex SpeechSense
- Yandex Translate
- Yandex Vision OCR
- Yandex Data Streams: Kafka API.
- Yandex Managed Service for YDB: Only in PostgreSQL-compatible mode. Use the appropriate authentication method for other modes.