Discuss with expertTry it for free
© 2026 Direct Cursus Technology L.L.C.

Setting up Yandex Cloud Terraform provider authentication

Written by
Updated at June 15, 2026

To authenticate and manage your Yandex Cloud infrastructure, you can use Terraform as a:

Authenticating as a service account using an IAM token

The authentication procedure is based on getting a temporary IAM token with the help of the Yandex CLI and delivering it to Terraform. This makes your Terraform configuration universal and secure, because the IAM token is not saved in configuration files, and the code describes only the resource creation logic without being associated with a particular cloud or folder.

A service account using impersonation is the recommended and most secure way to get authenticated.

When creating an IAM token, impersonate the service account you created by specifying its ID in the --impersonate-service-account-id parameter. As a result, Terraform will manage the folder's resources under the service account and use the service account's IAM token.

Note

To use impersonation, the user must have the iam.serviceAccounts.tokenCreator role for the service account.

To authenticate as a service account:

  1. If you do not have the Yandex Cloud CLI yet, install it.

  2. In the Yandex Cloud CLI, create a new profile or activate a previously created one.

  3. Authenticate under your Yandex account, federated account, or local user account.

  4. If you do not have a service account, create one.

  5. Assign the service account the roles needed to manage Yandex Cloud resources.

  6. Write the credentials to the environment variables using impersonation:

    • Bash

      export YC_TOKEN=$(yc iam create-token --impersonate-service-account-id <service_account_ID>)
export YC_CLOUD_ID=$(yc config get cloud-id)
export YC_FOLDER_ID=$(yc config get folder-id)

    • PowerShell

      $Env:YC_TOKEN=$(yc iam create-token --impersonate-service-account-id <service_account_ID>)
$Env:YC_CLOUD_ID=$(yc config get cloud-id)
$Env:YC_FOLDER_ID=$(yc config get folder-id)

    Where <service_account_ID> is the service account ID.

As a result, the service account's IAM token, cloud ID, and folder ID will be saved in the environment variables.

Note

This IAM token will be used to authenticate each operation until the end of the token's lifetime (not more than 12 hours). After this, you will need to authenticate again. To have the IAM token reissued automatically, use a script or other means of automation.

To extend the period during which you do not have to authenticate in the browser, use refresh tokens, which allow you to reissue IAM tokens without entering the browser. Do it by enabling refresh tokens at the organization level and initializing DPoP protection in the CLI.

When specifying provider settings in a Terraform configuration file with no sensitive data disclosed, keep this in mind:

provider "yandex" {
  # Do not specify `cloud_id`, `folder_id`, or `token`, as
  # your provider automatically fetches them from the environment variables

  zone = "<availability_zone>"
}

Where zone is the default availability zone for all your cloud resources.

When employing such a configuration, use Terraform free of any additional flags, as your provider automatically fetches them from the environment variables.

Authenticating as a service account using an authorized key

Allows you to routinely authenticate with the same authorized key you once generated. A long-lived key, however, is less secure than impersonation and an IAM token.

To authenticate as a service account using an authorized key:

  1. If you do not have a service account, create one.

  2. Assign to the service account the roles it needs to manage Yandex Cloud resources.

  3. Create an authorized key for the service account and save it to the key.json file.

  4. Write your sensitive data, namely authorized key file path, cloud and folder IDs, into environment variables:

    export YC_SERVICE_ACCOUNT_KEY_FILE="<key_file_path>"
export YC_CLOUD_ID="<cloud_ID>"
export YC_FOLDER_ID="<folder_ID>"

    $Env:YC_SERVICE_ACCOUNT_KEY_FILE="<key_file_path>"
$Env:YC_CLOUD_ID="<cloud_ID>"
$Env:YC_FOLDER_ID="<folder_ID>"

    Where:

    • YC_SERVICE_ACCOUNT_KEY_FILE: Path to the authorized key file named key.json.
    • YC_CLOUD_ID: Cloud ID.
    • YC_FOLDER_ID: Folder ID.

    Note

    When running the plan and apply commands, you can provide these values directly as command line arguments without specifying them in the configuration:

    terraform apply -var="cloud_id=<cloud_ID>" -var="folder_id=<folder_ID>"

When specifying provider settings in a Terraform configuration file with no sensitive data disclosed, keep this in mind:

provider "yandex" {
  # Do not specify `cloud_id`, `folder_id`, or `token`, as
  # your provider automatically fetches them from the environment variables

  zone = "<availability_zone>"
}

Where zone is the default availability zone for all your cloud resources.

When employing such a configuration, use Terraform free of any additional flags, as your provider automatically fetches them from the environment variables.

Authenticating as a user account

The authentication procedure is based on getting a temporary IAM token with the help of the Yandex CLI and delivering it to Terraform. This makes your Terraform configuration universal and secure, because the IAM token is not saved in configuration files, and the code describes only the resource creation logic without being associated with a particular cloud or folder.

Warning

It is less secure to manage resources as a user account than as a service account.

To authenticate as a user account:

  1. If you do not have the Yandex Cloud CLI yet, install it.

  2. In the Yandex Cloud CLI, create a new profile or activate a previously created one.

  3. Authenticate as a Yandex account, federated user, or local user.

  4. Write your profile’s sensitive data, namely IAM token, cloud and folder IDs, into environment variables:

    export YC_TOKEN=$(yc iam create-token)
export YC_CLOUD_ID=$(yc config get cloud-id)
export YC_FOLDER_ID=$(yc config get folder-id)

    $Env:YC_TOKEN=$(yc iam create-token)
$Env:YC_CLOUD_ID=$(yc config get cloud-id)
$Env:YC_FOLDER_ID=$(yc config get folder-id)

    Where:

    yc iam create-token: Getting an IAM token for the current session.
    yc config get cloud-id: Getting the cloud ID from the current CLI profile.
    yc config get folder-id: Getting the folder ID from the current CLI profile.

    As the result, the IAM token, cloud ID, and folder ID will be saved in the environment variables.

Note

This IAM token will be used to authenticate each operation until the end of the token's lifetime (not more than 12 hours). After this, you will need to authenticate again. To have the IAM token reissued automatically, use a script or other means of automation.

To extend the period during which you do not have to authenticate in the browser, use refresh tokens, which allow you to reissue IAM tokens without entering the browser. Do it by enabling refresh tokens at the organization level and initializing DPoP protection in the CLI.

When specifying provider settings in a Terraform configuration file with no sensitive data disclosed, keep this in mind:

provider "yandex" {
  # Do not specify `cloud_id`, `folder_id`, or `token`, as
  # your provider automatically fetches them from the environment variables

  zone = "<availability_zone>"
}

Where zone is the default availability zone for all your cloud resources.

When employing such a configuration, use Terraform free of any additional flags, as your provider automatically fetches them from the environment variables.

Previous
Getting started
Next
Overview