When a user does something with a resource in {{ yandex-cloud }}, IAM checks whether the user has the access rights required to perform this operation.
Users get permissions along with resource roles. For more information about how roles are assigned and how the list of permissions is checked, see {#T}.
Before authorization, a user must get authenticated, i.e., they must log in using their account. Authentication is performed in different ways depending on the type of account and the interface used:
{% list tabs group=instructions %}
-
Management console {#console}
When logging in to your Yandex or Yandex 360 account, you will be authenticated automatically.
-
CLI {#cli}
To perform operations in the CLI, authenticate by following this guide. After this, authentication will work automatically.
-
API {#api}
{% include owner-warning %}
To perform operations in the API:
-
Get an IAM token in exchange for your OAuth token.
-
{% include iam-token-usage %}
{% include iam-token-lifetime %}
-
{% endlist %}
{% list tabs group=instructions %}
-
CLI {#cli}
To perform operations in the CLI, authenticate by following this guide. After this, authentication will work automatically.
-
API {#api}
There are three ways to perform operations on behalf of a service account:
-
Using an IAM token:
This is the recommended authentication method, but IAM tokens have a short lifetime. This makes it a good method for applications that automatically request an IAM token.
-
With API keys.
{% include api-keys-disclaimer %}
-
Using static access keys. Use this method for services with an AWS-compatible API, such as {{ objstorage-name }} and {{ message-queue-name }}.
-
{% endlist %}
{% list tabs group=instructions %}
-
Management console {#console}
{% include federated-user-auth %}
The authentication process for a federated user depends on the IdP server settings. For more information, see {#T}.
-
CLI {#cli}
To perform operations in the CLI, authenticate by following this guide.
{% include include %}
{% endlist %}