Getting a service account ID token
To use Yandex Identity and Access Management for authentication in an external system with OIDC
To get an ID token:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also specify a different folder for any command using the --folder-name
or --folder-id
parameter.
-
View the description of the command for creating an ID token:
yc iam create-id-token --help
-
Get the ID of the service account to use for authentication in the external system:
yc iam service-account list
Result:
+----------------------+--------------+--------+---------------------+-----------------------+ | ID | NAME | LABELS | CREATED AT | LAST AUTHENTICATED AT | +----------------------+--------------+--------+---------------------+-----------------------+ | ajeg2b2et02f******** | my-robot | | 2024-09-08 18:59:45 | 2025-02-18 10:10:00 | | ajegtlf2q28a******** | account-name | | 2023-06-27 16:18:18 | 2025-02-18 10:20:00 | +----------------------+--------------+--------+---------------------+-----------------------+
-
Get an ID token for the service account:
yc iam create-id-token \ --subject-id <service_account_ID> \ --audience <resource>
Where:
--subject-id
: ID of the service account to create an ID token for.--audience
: Target resource for the token. This is an optional parameter. If left unspecified, this value defaults to the service account ID specified in thesubject-id
parameter.
In response, the command will output the body of the created service account ID token to the standard output stream (
STDOUT
).