Yandex Cloud
Search
Contact UsGet started
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • AI Studio
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
© 2025 Direct Cursus Technology L.L.C.
Yandex Identity and Access Management
    • All guides
    • Handling secrets that are available in the public domain
      • Creating a service account
      • Viewing the folder's service accounts
      • Updating a service account
      • Assigning roles to a service account
      • Setting up service account access permissions
      • Getting service account info
      • Getting an ID token for a service account
      • Deleting a service account
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes
  1. Step-by-step guides
  2. Service accounts
  3. Getting an ID token for a service account

Getting a service account ID token

Written by
Yandex Cloud
Updated at June 9, 2025

To use Yandex Identity and Access Management for authentication in an external system with OIDC authentication support, you need to get an ID token. You can only get an ID token for a service account.

To get an ID token:

CLI

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the command for creating an ID token:

    yc iam create-id-token --help
    
  2. Get the ID of the service account to use for authentication in the external system:

    yc iam service-account list
    

    Result:

    +----------------------+--------------+--------+---------------------+-----------------------+
    |          ID          |     NAME     | LABELS |     CREATED AT      | LAST AUTHENTICATED AT |
    +----------------------+--------------+--------+---------------------+-----------------------+
    | ajeg2b2et02f******** | my-robot     |        | 2024-09-08 18:59:45 | 2025-02-18 10:10:00   |
    | ajegtlf2q28a******** | account-name |        | 2023-06-27 16:18:18 | 2025-02-18 10:20:00   |
    +----------------------+--------------+--------+---------------------+-----------------------+
    
  3. Get an ID token for the service account:

    yc iam create-id-token \
      --subject-id <service_account_ID> \
      --audience <resource>
    

    Where:

    • --subject-id: ID of the service account to create an ID token for.
    • --audience: Target resource for the token. This is an optional parameter. If left unspecified, this value defaults to the service account ID specified in the subject-id parameter.

    In response, the command will output the body of the created service account ID token to the standard output stream (STDOUT).

Was the article helpful?

Previous
Getting service account info
Next
Deleting a service account
© 2025 Direct Cursus Technology L.L.C.