Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
    • Yandex Cloud Partner program
  • Blog
  • Pricing
  • Documentation
© 2025 Direct Cursus Technology L.L.C.
Yandex Identity and Access Management
    • All guides
    • Handling secrets that are available in the public domain
        • Getting an IAM token for a Yandex account
        • Getting an IAM token for a service account
        • Getting an IAM token for a federated account
        • Revoking an IAM token
      • Managing static access keys
      • Managing API keys
      • Managing authorized keys
      • Creating a temporary access key using Security Token Service
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Getting an IAM token using the YC CLI
  • Example of using an IAM token obtained through the CLI
  • Getting and exchanging an OAuth token for an IAM token
  1. Step-by-step guides
  2. Authentication
  3. IAM tokens
  4. Getting an IAM token for a Yandex account
Written by
Yandex Cloud
Updated at May 5, 2025
  • Getting an IAM token using the YC CLI
    • Example of using an IAM token obtained through the CLI
  • Getting and exchanging an OAuth token for an IAM token

Note

These methods of getting an IAM token are intended for requests by a Yandex user account and are not recommended for automated solutions. If you want to automate your work with the Yandex Cloud API and get IAM tokens in software, see Getting an IAM token for a service account.

Getting an IAM token for a Yandex account

You can get an IAM token for your Yandex account in two ways:

  • Using the CLI (recommended). This is the most secure method. To get an IAM token, you need to install the YC CLI.
  • Using an OAuth token. This method is the simplest. Get an OAuth token, which every Yandex account has, and exchange it for an IAM-token using any HTTP client you like, e.g., cURL or PowerShell.

Note

The IAM token lifetime does not exceed 12 hours; however, we recommend requesting it more often, such as once per hour.

Getting an IAM token using the YC CLIGetting an IAM token using the YC CLI

If you do not have the Yandex Cloud CLI yet, install and initialize it.

Get an IAM token:

yc iam create-token

Example of using an IAM token obtained through the CLIExample of using an IAM token obtained through the CLI

Sending a request to get a list of clouds using an IAM token:

Bash
PowerShell
  1. Get an IAM token and write it to the variable:

    export IAM_TOKEN=`yc iam create-token`
    
  2. Send a request to get a list of clouds:

    curl \
      --request GET \
      --header "Authorization: Bearer ${IAM_TOKEN}" \
      https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds
    
  3. Result:

    {
    "clouds": [
      {
      "id": "b1gia87mbaom********",
      "createdAt": "2019-08-19T06:15:54Z",
      "name": "my-cloud-1",
      "organizationId": "my-organization"
      },
      {
      "id": "b1gue7m154kt********",
      "createdAt": "2022-08-29T13:27:03Z",
      "name": "my-cloud-2",
      "organizationId": "my-organization"
      }
    ]
    }
    
  1. Get an IAM token and write it to the variable:

    $IAM_TOKEN=yc iam create-token
    
  2. Send a request to get a list of clouds:

    curl.exe ` 
      --request GET ` 
      --header "Authorization: Bearer $IAM_TOKEN" ` 
      https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds 
    
  3. Result:

    {
    "clouds": [
      {
      "id": "b1gia87mbaom********",
      "createdAt": "2019-08-19T06:15:54Z",
      "name": "my-cloud-1",
      "organizationId": "my-organization"
      },
      {
      "id": "b1gue7m154kt********",
      "createdAt": "2022-08-29T13:27:03Z",
      "name": "my-cloud-2",
      "organizationId": "my-organization"
      }
    ]
    }
    

Getting and exchanging an OAuth token for an IAM tokenGetting and exchanging an OAuth token for an IAM token

Alert

If you are the owner of the cloud and you use your own account to access the API, remember that the owner of the cloud can perform any operations with cloud resources.

We recommend using a service account to work with the API. This way, you can assign only the roles that are necessary.

  1. Log in to your Yandex account.

  2. Get an OAuth token from Yandex.OAuth. To do this, follow this link, click Allow, and copy the OAuth token you got.

  3. Exchange the OAuth token for an IAM token:

    Bash
    PowerShell
    curl \
      --request POST \
      --data '{"yandexPassportOauthToken":"<OAuth_token>"}' \
      https://iam.api.cloud.yandex.net/iam/v1/tokens
    
    $yandexPassportOauthToken = "<OAuth_token>"
    $Body = @{ yandexPassportOauthToken = "$yandexPassportOauthToken" } | ConvertTo-Json -Compress
    Invoke-RestMethod -Method 'POST' -Uri 'https://iam.api.cloud.yandex.net/iam/v1/tokens' -Body $Body -ContentType 'Application/json' | Select-Object -ExpandProperty iamToken
    

Specify the received IAM token when accessing Yandex Cloud resources via the API. Provide the IAM token in the Authorization header in the following format:

Authorization: Bearer <IAM_token>

See alsoSee also

  • Using an IAM token in a Helm chart
  • Revoking an IAM token

Was the article helpful?

Previous
Revoking a role
Next
Getting an IAM token for a service account
© 2025 Direct Cursus Technology L.L.C.