Note
These methods of getting an IAM token are intended for requests by a Yandex user account and are not recommended for automated solutions. If you want to automate your work with the Yandex Cloud API and get IAM tokens in software, see Getting an IAM token for a service account.
Getting an IAM token for a Yandex account
You can get an IAM token for your Yandex account in two ways:
- Using the CLI (recommended). This is the most secure method. To get an IAM token, you need to install the YC CLI.
- Using an OAuth token. This method is the simplest. Get an OAuth token, which every Yandex account has, and exchange it for an IAM-token using any HTTP client you like, e.g., cURL or PowerShell.
Note
The IAM token lifetime does not exceed 12 hours; however, we recommend requesting it more often, such as once per hour.
Getting an IAM token using the YC CLI
If you do not have the Yandex Cloud CLI yet, install and initialize it.
Get an IAM token:
yc iam create-token
Example of using an IAM token obtained through the CLI
Sending a request to get a list of clouds using an IAM token:
-
Get an IAM token and write it to the variable:
export IAM_TOKEN=`yc iam create-token` -
Send a request to get a list of clouds:
curl \ --request GET \ --header "Authorization: Bearer ${IAM_TOKEN}" \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds -
Result:
{ "clouds": [ { "id": "b1gia87mbaom********", "createdAt": "2019-08-19T06:15:54Z", "name": "my-cloud-1", "organizationId": "my-organization" }, { "id": "b1gue7m154kt********", "createdAt": "2022-08-29T13:27:03Z", "name": "my-cloud-2", "organizationId": "my-organization" } ] }
-
Get an IAM token and write it to the variable:
$IAM_TOKEN=yc iam create-token -
Send a request to get a list of clouds:
curl.exe ` --request GET ` --header "Authorization: Bearer $IAM_TOKEN" ` https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds -
Result:
{ "clouds": [ { "id": "b1gia87mbaom********", "createdAt": "2019-08-19T06:15:54Z", "name": "my-cloud-1", "organizationId": "my-organization" }, { "id": "b1gue7m154kt********", "createdAt": "2022-08-29T13:27:03Z", "name": "my-cloud-2", "organizationId": "my-organization" } ] }
Getting and exchanging an OAuth token for an IAM token
Alert
If you are the owner of the cloud and you use your own account to access the API, remember that the owner of the cloud can perform any operations with cloud resources.
We recommend using a service account to work with the API. This way, you can assign only the roles that are necessary.
-
Log in to your Yandex account.
-
Get an OAuth token from Yandex.OAuth. To do this, follow this link, click Allow, and copy the OAuth token you got.
-
Exchange the OAuth token for an IAM token:
BashPowerShellcurl \ --request POST \ --data '{"yandexPassportOauthToken":"<OAuth_token>"}' \ https://iam.api.cloud.yandex.net/iam/v1/tokens$yandexPassportOauthToken = "<OAuth_token>" $Body = @{ yandexPassportOauthToken = "$yandexPassportOauthToken" } | ConvertTo-Json -Compress Invoke-RestMethod -Method 'POST' -Uri 'https://iam.api.cloud.yandex.net/iam/v1/tokens' -Body $Body -ContentType 'Application/json' | Select-Object -ExpandProperty iamToken
Specify the received IAM token when accessing Yandex Cloud resources via the API. Provide the IAM token in the Authorization header in the following format:
Authorization: Bearer <IAM_token>