Getting a service account ID token

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

1. View the description of the command for creating an ID token:

   yc iam create-id-token --help
   

2. Get the ID of the service account to use for authentication in the external system:

   yc iam service-account list
   

   Result:

   +----------------------+--------------+--------+---------------------+-----------------------+
   |          ID          |     NAME     | LABELS |     CREATED AT      | LAST AUTHENTICATED AT |
   +----------------------+--------------+--------+---------------------+-----------------------+
   | ajeg2b2et02f******** | my-robot     |        | 2024-09-08 18:59:45 | 2025-02-18 10:10:00   |
   | ajegtlf2q28a******** | account-name |        | 2023-06-27 16:18:18 | 2025-02-18 10:20:00   |
   +----------------------+--------------+--------+---------------------+-----------------------+
   

3. Get an ID token for the service account:

   yc iam create-id-token \
     --subject-id <service_account_ID> \
     --audience <resource>
   

   Where:

   • --subject-id: ID of the service account to create an ID token for.
   • --audience: Target resource for the token. This is an optional setting. If left unspecified, this value defaults to the service account ID specified in the subject-id parameter.

   In response, the command will output the body of the created service account ID token to the standard output stream (STDOUT).