Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Setting up workload identity federations

Written by
Improved by
Updated at January 28, 2025

Workload identity federations allow you to configure a link between external systems and Yandex Cloud via the OpenID Connect (OIDC) protocol. This allows external systems to perform actions on Yandex Cloud resources on behalf of service accounts without using authorized keys. This is a more secure method that minimizes the risk of credential leakage and the possibility of unauthorized access.

To set up authentication in the Yandex Cloud API via a workload identity federation:

  1. Prepare your cloud environment.
  2. Create a workload identity federation.
  3. Create federated credentials.
  4. Exchange a JWT of an external subject for a service account IAM token.

For examples of setting up authentication for specific OIDC providers, see these tutorials:

Prepare your cloud environment

Sign up for Yandex Cloud and create a billing account:

  1. Go to the management console and log in to Yandex Cloud or create an account if you do not have one yet.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one.

If you have an active billing account, you can go to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

To set up a workload identity federation, you need a service account. If you do not have a service account, create one.

Create a workload identity federation

Note

To create a workload identity federation, the user needs the iam.workloadIdentityFederations.editor role or higher for the folder.

  1. In the management console, select the folder where you want to create a workload identity federation.
  2. In the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Workload identity federations.
  4. Click Create federation and in the form that opens, proceed as follows:

    1. In the Issuer value (iss) field, enter the OIDC provider's URL.

      To get this value, refer to the OIDC provider's documentation or contact their support.

    2. In the Acceptable Audience values (AUD) field, specify the resource for which the token will be issued.

      To get this value, refer to the OIDC provider's documentation or contact their support.

      You can specify multiple resources to issue the IAM token for.

    3. In the JWKS address field, specify the URL for retrieving the current public key issued by the OIDC provider and used for JWT signature verification.

      To get this value, refer to the OIDC provider's documentation or contact their support.

    4. In the Name field, enter a name for the new federation, e.g., sample-iam-federation.

    5. Click Create.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the command for creating a workload identity federation:

    yc iam workload-identity oidc federation create --help

  2. Create a workload identity federation in the default folder:

    yc iam workload-identity oidc federation create \
  --name <federation_name> \
  --issuer "<OIDC_provider_URL>" \
  --audiences "<resource_1>","<resource_2>",...,"<resource_n>" \
  --jwks-url "<JWKS_address>"

    Where:

    • --name: Name of the new federation, e.g., sample-iam-federation. The naming requirements are as follows:

      • It must be 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    • --issuer: URL of the OIDC provider.

      To get this value, refer to the OIDC provider's documentation or contact their support.

    • --audiences: Resources to issue the token for. You can specify multiple resources at once, separated by commas.

      To get this value, refer to the OIDC provider's documentation or contact their support.

    • --jwks-url: URL for retrieving the current public key issued by the OIDC provider and used for JWT signature verification.

      To get this value, refer to the OIDC provider's documentation or contact their support.

    Result:

    id: aje2c4qv19lf********
name: sample-iam-federation
folder_id: b1gfq9pe6rd2********
enabled: true
audiences:
  - https://gitlab.example.ru
  - https://gitlab.example.com
issuer: https://gitlab.com
jwks_url: https://gitlab.com/oauth/discovery/keys
created_at: "2024-12-28T16:04:31.530652473Z"

    Save the value of the new workload identity federation ID. You will need it to create federated credentials.

    For more information about the yc iam workload-identity oidc federation create command, see the CLI reference.

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. In the Terraform configuration file, define the parameters of the federation you want to create:

    resource "yandex_iam_workload_identity_oidc_federation" "wlif" {
  name        = "<federation_name>"
  folder_id   = "<folder_ID>"
  audiences   = ["<resource_1>","<resource_2>",...,"<resource_n>"]
  issuer      = "<OIDC_provider_URL>"
  jwks_url    = "<JWKS_address>"
}

    Where:

    • name: Name of the new federation, e.g., sample-iam-federation. The naming requirements are as follows:

      • It must be 2 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    • folder_id: ID of the folder to create the workload identity federation in.

    • audiences: Resources to issue the token for. You can specify multiple resources at once, separated by commas.

      To get this value, refer to the OIDC provider's documentation or contact their support.

    • issuer: URL of the OIDC provider.

      To get this value, refer to the OIDC provider's documentation or contact their support.

    • jwks_url: URL for retrieving the current public key issued by the OIDC provider and used for JWT signature verification.

      To get this value, refer to the OIDC provider's documentation or contact their support.

    For more information about the yandex_iam_workload_identity_oidc_federation resource parameters in Terraform, see the relevant provider documentation.

  2. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

    Terraform will create a workload identity federation. You can check the new federation using the management console or this CLI command:

    yc iam workload-identity oidc federation list

To create a workload identity federation, use the create REST API method for the Federation resource or the FederationService/Create gRPC API call.

Create federated credentials

Federated credentials refer to the link established between a workload identity federation, a Yandex Cloud service account, and an external subject. Federated credentials are used to identify external subjects in Yandex Identity and Access Management.

Note

To create federated credentials, the user needs the following:

  • iam.serviceAccounts.federatedCredentialEditor role or higher for the service account that will be used in the federated credentials.
  • iam.workloadIdentityFederations.user role or higher for the folder containing the workload identity federation.

  1. In the management console, select the folder with the service account.

    Create a new service account if you need to.

  2. In the list of services, select Identity and Access Management.

  3. Select the appropriate service account from the list.

  4. Go to the Workload identity federations tab.

  5. Click Link to federation.

  6. In the Workload identity federation field, select the federation you created earlier.

  7. In the Subject value (sub) field, specify the external subject ID.

    To get this value, refer to the OIDC provider's documentation or contact their support.

  8. Click Link.

  1. View the description of the command for creating federated credentials:

    yc iam workload-identity federated-credential create --help

  2. Create federated credentials, specifying the ID of the appropriate service account:

    yc iam workload-identity federated-credential create \
  --service-account-id <service_account_ID> \
  --federation-id <federation_ID> \
  --external-subject-id "<external_subject_ID>"

    Where:

    • --service-account-id: ID of the Yandex Cloud service account.

      The service account can reside in a folder other than the one containing the workload identity federation.

    • --federation-id: Workload identity federation ID obtained in the previous step.

    • --external-subject-id: External subject ID.

      To get this value, refer to the OIDC provider's documentation or contact their support.

    Result:

    id: aje401v1sup8********
service_account_id: ajek7v5j65cg********
federation_id: aje2c4qv19lf********
external_subject_id: project_path:root/test-iam-wlif:ref_type:branch:ref:master
created_at: "2024-12-28T16:33:47.057632267Z"

    For more information about the yc iam workload-identity federated-credential create command, see the CLI reference.

  1. In the Terraform configuration file, define the parameters of the federated credentials you want to create:

    resource "yandex_iam_workload_identity_federated_credential" "fc" {
  service_account_id  = "<service_account_ID>"
  federation_id       = "<federation_ID>"
  external_subject_id = "<external_subject_ID>"
}

    Where:

    • service_account_id: ID of the Yandex Cloud service account.

      The service account can reside in a folder other than the one containing the workload identity federation.

    • federation_id: Workload identity federation ID.

    • external_subject_id: External subject ID.

      To get this value, refer to the OIDC provider's documentation or contact their support.

    For more information about the yandex_iam_workload_identity_federated_credential resource parameters in Terraform, see the relevant provider documentation.

  2. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

    Terraform will create the specified federated credentials. You check the new service account federated credentials using the management console or this CLI command:

    yc iam workload-identity federated-credential list \
  --service-account-id <service_account_ID>

To create federated credentials, use the create REST API method for the FederatedCredential resource or the FederatedCredentialService/Create gRPC API call.

Exchange a JWT for a service account IAM token

Send a request to the Yandex Cloud token exchange service:

POST https://auth.yandex.cloud/oauth/token HTTP/1.1
     Content-Type: application/x-www-form-urlencoded

     grant_type=urn:ietf:params:oauth:grant-type:token-exchange&
     requested_token_type=urn:ietf:params:oauth:token-type:access_token&
     audience=<service_account_ID>&
     subject_token=<JWT>&
     subject_token_type=urn:ietf:params:oauth:token-type:id_token

Where:

  • grant_type: Request type, which is always urn:ietf:params:oauth:grant-type:token-exchange.
  • requested_token_type: Requested token type, which is always urn:ietf:params:oauth:token-type:access_token.
  • audience: ID of the Yandex Cloud service account.
  • subject_token: External subject JWT.
  • subject_token_type: External subject token type, which is always urn:ietf:params:oauth:token-type:id_token.

Result:

HTTP/1.1 200 OK
Content-Type: application/json

{
    "access_token": "t1.9euelZqZlJyXlJGNno6JlIzGmsyUzO3rnpWazY6elMidm8-Nk8iPlZyZkJLl8_d_IUBE-e8AIgRS_d3z9z9QPUT57wAiBFL9zef1656Vmo2RyZqOm5KSj82KkZHNi5WL7_zN5_XrnpWaj46TnZvNksmNks2dj43MmJPv-MXrnpWajZHJmo6bkpKPzYqRkc2LlYu9656Vmp2PyJqYnprLk8aRxpqXzZbPteuGnNGWnpLRkI********************",
    "token_type": "Bearer",
    "expires_in": 43200
}

Where access_token is the requested service account IAM token you can use for authentication when working in the Yandex Cloud API.

See also

Previous
Enabling and disabling services
Next
All tutorials