Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Authentication in YTsaurus

Written by
Updated at October 20, 2025

Note

The service is at the Preview stage.

You can access Managed Service for YTsaurus resources:

Yandex Identity and Access Management manages access to Managed Service for YTsaurus resources. For more information, see Access management.

User authentication in YTsaurus

To access the YTsaurus web interface, a user needs the managed-ytsaurus.user role or higher for the Managed Service for YTsaurus cluster folder.

Upon the first successful authentication, the system automatically creates a new YTsaurus user with a username matching the user ID in Yandex Cloud. You cannot edit the YTsaurus username. YTsaurus does not support creating new users directly.

YTsaurus user groups

YTsaurus supports two user groups: users and managers.

Upon first logging into the web interface, all users are automatically added to the users group.

The managers group automatically includes users from the users group who have the managed-ytsaurus.editor role or higher. Updating the group's user list may take up to 15 minutes.

YTsaurus does not support editing user groups directly.

Service account authentication in Managed Service for YTsaurus

To access YTsaurus, a service account needs the managed-ytsaurus.user role or higher for the Managed Service for YTsaurus cluster folder.

Service accounts can access YTsaurus by using:

  • IAM token: For short-term operations; the IAM token lifetime is 12 hours.
  • API key: For long-running operations when you cannot get a new IAM token automatically.

Upon the first successful authentication of a service account, the system automatically creates a new YTsaurus user with a username matching the service account ID. You cannot edit the YTsaurus username.

How to use API keys in Managed Service for YTsaurus

Provide API keys instead of IAM tokens.

When creating an API key, specify yc.managed-ytsaurus.cluster.use as its scope.

Here is an example of the command for creating an API key to access YTsaurus:

yc iam api-key create \
   --service-account-name <service_account_name> \
   --scopes yc.managed-ytsaurus.cluster.use \
   --expires-at <date_and_time> \
   > api_key.yaml
Previous
Deleting a cluster
Next
Quotas and limits