Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Managing ephemeral access keys

Written by
Updated at February 24, 2026

Some Yandex Cloud services support authentication with ephemeral access keys.

Ephemeral access keys are created for Yandex accounts, federated accounts, local users, and service accounts.

Creating an ephemeral access key

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the command for creating an ephemeral access key:

    yc iam access-key issue-ephemeral --help

  2. Create an ephemeral access key:

    yc iam access-key issue-ephemeral \
  --subject-id <account_ID> \
  --session-name <session_name> \
  --policy <file_path> \
  --duration <lifespan>

    Where:

    • --subject-id: Service account ID. If this parameter is not specified, the system will generate the key for the user sending the request.
    • --session-name: Session name, 1 to 64 characters long. It is required for identifying a session if the service account is impersonated for multiple users. This is a required parameter.
    • --policy: Path to the access policy file as a data schema in JSON format. It this parameter is not specified, the key will grant full bucket access.
    • --duration: Key lifespan, from 15m to 12h. It this parameter is not specified, the key lifespan will be limited to that of the current session's IAM token.

    Result:

    access_key_id: ajelprpohp8t********
secret: YCOs05v-KRXqhYpUINdWArH4MINhMyJ6CGU********
session_token: s1.9muilY********
expires_at: "2025-12-16T06:23:51.383485065Z"

  3. Save access_key_id, the secret key, and session_token. You will not be able to get these values again.

Testing bucket access

  1. Make sure the account you created the ephemeral access key for has access to the relevant bucket. If it does not, assign your account the required role, e.g., storage.viewer, for the bucket.

    Alternatively, you can use ACL permissions for a bucket.

  2. Add a new profile to ~/.aws/credentials:

    [<profile_name>]
aws_access_key_id     = <key_ID>
aws_secret_access_key = <secret_key>
aws_session_token     = <session_token>

    Specify in your profile the values you got when creating the ephemeral access key:

    • aws_access_key_id: access_key_id key ID.
    • aws_secret_access_key: secret key.
    • aws_session_token: session_token.

  3. Save to the client device the object from the prefix of the bucket access was granted to:

    aws --endpoint https://storage.yandexcloud.net s3 cp \
  s3://<bucket_name>/<prefix><object_name> ./

    Result:

    download: s3://<bucket_name>/<prefix><object_name> to ./<object_name>

See also

Previous
Creating a temporary access key using Security Token Service
Next
Viewing the status of services