Enabling the use of refresh tokens in the Yandex Cloud CLI
A refresh token is a type of credential that allows an OAuth application to automatically obtain a new IAM token after the user's IAM token expires.
To allow federated users to use refresh tokens in the Yandex Cloud CLI, enable this feature at the Identity Hub organization level.
-
Log in to Yandex Identity Hub with an administrator or organization owner account.
Switch to an organization of your choice as required.
-
In the left-hand panel, select Security settings.
-
Under Authentication settings, check Enable refresh tokens.
-
Optionally, to use enhanced refresh token security using DPoP keys with their obligatory storage on a YubiKey, enable Allow DPoP key storage only on YubiKeys.
With this option disabled, you can use DPoP keys saved both on a YubiKey and the user's local file system to ensure refresh token security.
To allow federated users to use refresh tokens in the Yandex Cloud CLI, each user must initialize DPoP after you enable this option at the organization level.