Getting a service account ID token
To use Yandex Identity and Access Management for authentication in an external system with OIDC authentication support, you need to get an ID token. You can only get an ID token for a service account.
To get an ID token:
If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
-
View the description of the command for creating an ID token:
yc iam create-id-token --help -
Get the ID of the service account to use for authentication in the external system:
yc iam service-account listResult:
+----------------------+--------------+--------+---------------------+-----------------------+ | ID | NAME | LABELS | CREATED AT | LAST AUTHENTICATED AT | +----------------------+--------------+--------+---------------------+-----------------------+ | ajeg2b2et02f******** | my-robot | | 2024-09-08 18:59:45 | 2025-02-18 10:10:00 | | ajegtlf2q28a******** | account-name | | 2023-06-27 16:18:18 | 2025-02-18 10:20:00 | +----------------------+--------------+--------+---------------------+-----------------------+ -
Get an ID token for the service account:
yc iam create-id-token \ --subject-id <service_account_ID> \ --audience <resource>Where:
--subject-id: ID of the service account to create an ID token for.--audience: Target resource for the token. This is an optional parameter. If left unspecified, this value defaults to the service account ID specified in thesubject-idparameter.
In response, the command will output the body of the created service account ID token to the standard output stream (
STDOUT).