Ephemeral access keys compatible with AWS APIs
Ephemeral access keys are temporary credentials for authenticating Yandex accounts, federated accounts, local users, and service accounts.
Authentication with ephemeral access keys is only supported in Yandex Object Storage.
You can create an ephemeral key for the current user or for a service account you have access to.
Ephemeral keys are issued based on the current session's IAM token. They may be valid from 15 minutes to 12 hours. If lifetime is not set during creation, it is limited to the IAM token's validity period.
Warning
You cannot revoke an ephemeral key. It automatically expires after its lifetime.
To set up access permissions for the key, you need an access policy in JSON format based on this schema.
Tip
If a service account has roles in Object Storage for a folder, users with temporary keys will get view access to buckets in that folder. We recommend assigning service account roles for specific buckets, rather than a folder.
Ephemeral key format
Ephemeral keys consist of three parts:
- Key ID
- Secret key
- Session token
Requests to the AWS-compatible API use all the three parts. The key ID is specified in open format. The secret key is used to sign request parameters, and the session token serves to verify temporary credentials.
Key ID
Consists of 20 characters. These characters may include:
- Latin letters
- Numbers
Here is an example of a key ID: abcdefg1234h********.
Secret key
A secret key consists of 43 characters and always starts with YC. Other characters may include:
- Latin letters
- Numbers
- Underscores (
_) and hyphens (-)
Here is an example of a secret key: YCabcdefg1234hi5678jk9AbCdEfG1234hI********.
Session token
The session token has a variable length of approximately 285 characters and is used to verify temporary credentials. Token example: s1.9muilY....