IAM token
An IAM token is a unique sequence of characters issued to a user after authentication.
Using the token
Specify the received IAM token when accessing Yandex Cloud resources via the API. Provide the IAM token in the Authorization header in the following format:
Authorization: Bearer <IAM_token>
To work with Terraform, add an IAM token to environment variables or specify it in the provider configuration file:
provider "yandex" {
token = "<IAM_token>"
}
In case you work in the management console or the command line interface (CLI), you do not need to do anything to obtain and use a token.
Lifetime
IAM tokens are valid for a maximum of 12 hours. A token's lifetime is specified in a response from the service that returns the token, e.g., the VM metadata service.
To avoid situations when your token has expired and you do not have a new token yet, request it beforehand.
If you generate a new IAM token, the previous one continues to be valid until its lifetime ends or you revoke it.
If a token is created using cookies (for example, under federated authentication), its lifetime is limited to that of the cookies. If the cookies are revoked (for example, when the user logs out), all the tokens generated for the cookies are canceled.
The IAM API may return the same token in response to different requests if it is still a long time before it expires.
IAM token revocation
If your IAM token has been compromised, or you want to terminate your old IAM token when issuing a new one for security reasons, you can revoke the token before its lifetime expires.
Any authenticated user can revoke an IAM token using the YC CLI or API.
Services that support this authentication method
This authentication method is supported by all services, except for those with AWS-compatible APIs. Such services require an IAM token only for managing access keys and service accounts.
Token representation
The following regular expression describes a token:
t1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2}
Use regular expressions carefully because the service may update the token format in the future. The update might appear in the documentation with a delay.
Tip
Updating the token format involves changing its prefix to a value different from t1..
Sample token:
t1.7euelSbPyceKx87JqpuRl1qZiY-Ryi3rnpWaksrKaZqUppnLncmDnpeajZvl8_dZNAFl-e8ENXMH_t3z9xljfmT57wQ1cwf-.-LErty1vRh4S__VEp-aDnM5huB5MEfm_Iu1u2IzNgyrn0emiWDYA6rSQXDvzjE0O3HBbUlqoDeCmXYYInzZ6Cg
See also
- Getting an IAM token for a Yandex account
- Getting an IAM token for a service account
- Getting an IAM token for a federated account
- Working with Yandex Cloud from inside a VM
- Using functions to get an IAM token for a service account
- Authorization and authentication in Yandex Cloud
- Revoking an IAM token