[Yandex Cloud documentation](../../../index.md) > [Command line interface](../../index.md) > [Step-by-step guides](../index.md) > Authentication > Authenticating as a service account

# Authenticating as a service account

{% note info %}

When performing actions on behalf of a service account, ensure that it has the required [roles](../../../iam/concepts/access-control/roles.md) [assigned](../../../iam/operations/sa/assign-role-for-sa.md) to it.

{% endnote %}

{% note warning %}

Creating service accounts and their [keys](../../../iam/concepts/users/service-accounts.md#sa-key) may be prohibited by [access policies](../../../iam/concepts/access-control/access-policies.md) at the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder), [cloud](../../../resource-manager/concepts/resources-hierarchy.md#cloud), or [organization](../../../organization/concepts/organization.md) level.

{% endnote %}

Learn how to get authenticated in the Yandex Cloud CLI:

* [On behalf of a service account using impersonation](#use-impersonation). Using [impersonation](../../../iam/concepts/access-control/impersonation.md) is the recommended and most secure way to get authenticated in the Yandex Cloud CLI.
* [On behalf of a service account using an authorized key](#auth-as-sa). Using an [authorized key](../../../iam/concepts/authorization/key.md) allows you to continually get authenticated in the Yandex Cloud CLI with the same authorized key you generated. Using a long-lived key is less secure than using impersonation.
* [As a service account from inside a VM](#vm-auth-as-sa). Using a [service account](../../../iam/concepts/users/service-accounts.md) attached to the Yandex Compute Cloud [VM](../../../compute/concepts/vm.md) is the recommended method of authentication in the Yandex Cloud CLI when using a VM.

[Service accounts](../../../iam/concepts/users/service-accounts.md) are different from [Yandex user accounts](../../../iam/concepts/users/accounts.md#passport), [federated user accounts](../../../iam/concepts/federations.md), or [local user accounts](../../../iam/concepts/users/accounts.md#local). You cannot use service accounts to log in to the [management console](https://console.yandex.cloud), but you can use them to manage resources in Yandex Cloud.

## Getting started {#before-begin}

1. Authenticate in the CLI as a [Yandex user](user.md), a [federated user](federated-user.md), or a [local user](local-user.md).
1. If you do not have a service account yet, [create one](../../../iam/operations/sa/create.md) and [configure access permissions for it](../../../iam/operations/sa/assign-role-for-sa.md).

## Perform actions on behalf of a service account using impersonation {#use-impersonation}

{% note info %}

To use impersonation, the user must have the `iam.serviceAccounts.tokenCreator` [role](../../../iam/security/index.md#iam-serviceAccounts-tokenCreator) for the service account.

{% endnote %}

To perform an action on behalf of a service account:

1. Get a list of service accounts that exist in your cloud:
   
   ```bash
   yc iam service-account --folder-id <folder_ID> list
   ```
   
   Result:
   ```text
   +----------------------+------------+--------+---------------------+-----------------------+
   |          ID          |    NAME    | LABELS |     CREATED AT      | LAST AUTHENTICATED AT |
   +----------------------+------------+--------+---------------------+-----------------------+
   | ajeg2b2et02f******** | my-robot   |        | 2024-09-08 18:59:45 | 2025-08-21 06:40:00   |
   | ajegtlf2q28a******** | default-sa |        | 2023-06-27 16:18:18 | 2025-08-21 06:30:00   |
   +----------------------+------------+--------+---------------------+-----------------------+
   ```
1. When running Yandex Cloud CLI commands, use [impersonation](../../../iam/concepts/access-control/impersonation.md) of your service account by specifying its ID in the `--impersonate-service-account-id` parameter.

    For example, to create a [bucket](../../../storage/concepts/bucket.md) named `my-sample-bucket` in the default folder on behalf of a service account, run this command:

    ```bash
    yc storage bucket create \
      --name my-sample-bucket \
      --impersonate-service-account-id <service_account_ID>
    ```

Some commands require that you specify unique IDs for your cloud and folder. You can run such commands with the `--cloud-id` and `--folder-id` parameters.

## Get authenticated on behalf of a service account using an authorized key {#auth-as-sa}

To authenticate as a service account:

1. Get a list of service accounts that exist in your cloud:
   
   ```bash
   yc iam service-account --folder-id <folder_ID> list
   ```
   
   Result:
   ```text
   +----------------------+------------+--------+---------------------+-----------------------+
   |          ID          |    NAME    | LABELS |     CREATED AT      | LAST AUTHENTICATED AT |
   +----------------------+------------+--------+---------------------+-----------------------+
   | ajeg2b2et02f******** | my-robot   |        | 2024-09-08 18:59:45 | 2025-08-21 06:40:00   |
   | ajegtlf2q28a******** | default-sa |        | 2023-06-27 16:18:18 | 2025-08-21 06:30:00   |
   +----------------------+------------+--------+---------------------+-----------------------+
   ```
1. Create an authorized key for the service account and save it to a file named `key.json`:

    ```bash
    yc iam key create \
      --service-account-name default-sa \
      --output key.json \
      --folder-id <folder_ID>
    ```
    
    Result:
    ```text
    id: aje83v701b1u********
    service_account_id: aje3932acd0c********
    created_at: "2019-08-26T12:31:25Z"
    key_algorithm: RSA_2048
    ```

1. Add the service account authorized key to the CLI profile.

    1. Create a new CLI profile:

        ```bash
        yc config profile create sa-profile
        ```
    1. Add an authorized key:

        ```bash
        yc config set service-account-key key.json
        ```

1. Make sure the parameters for the service account are added correctly:

    ```bash
    yc config list
    ```
    
    Result:

    ```text
    service-account-key:
      id: aje83v701b1u********
      service_account_id: aje3932acd0c********
      created_at: "2019-08-26T12:31:25Z"
      key_algorithm: RSA_2048
      public_key: |
        -----BEGIN PUBLIC KEY-----
        MIIBIjANBg...
        -----END PUBLIC KEY-----
      private_key: |
        -----BEGIN PRIVATE KEY-----
        MIIEvwIBAD...
        -----END PRIVATE KEY-----
    ```

1. Configure your profile to run commands.

    Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.
    
    1. Specify the cloud in your profile:
    
        ```bash
        yc config set cloud-id <cloud_ID>
        ```
    
        You can also use the `--cloud-id` parameter to [run commands](../../concepts/index.md#manage-properties).
    1. Specify a folder in the profile:
    
        ```bash
        yc config set folder-id <folder_ID>
        ```
    
        You can also use the `--folder-id` parameter to [run commands](../../concepts/index.md#manage-properties).
    
    All operations in this profile will be performed on behalf of the linked service account. You can [change the profile parameters](../profile/manage-properties.md) or [switch to another profile](../profile/profile-activate.md).

## Authenticate as a service account from inside a VM {#vm-auth-as-sa}

The authentication process from inside a VM is simplified for a service account:
1. [Link your service account](../../../compute/operations/vm-connect/auth-inside-vm.md#link-sa-with-instance) to a VM.
1. Authenticate from inside a VM:
      1. [Connect](../../../compute/operations/vm-connect/ssh.md) to the VM over SSH.
   1. Create a new profile:

      ```
      yc config profile create my-robot-profile
      ```

1. Configure your profile to run commands.

    Some commands require that you specify unique IDs for your cloud and folder. You can specify their details in the profile or use a specific flag for these commands.
    
    1. Specify the cloud in your profile:
    
        ```bash
        yc config set cloud-id <cloud_ID>
        ```
    
        You can also use the `--cloud-id` parameter to [run commands](../../concepts/index.md#manage-properties).
    1. Specify a folder in the profile:
    
        ```bash
        yc config set folder-id <folder_ID>
        ```
    
        You can also use the `--folder-id` parameter to [run commands](../../concepts/index.md#manage-properties).
    
    All operations in this profile will be performed on behalf of the linked service account. You can [change the profile parameters](../profile/manage-properties.md) or [switch to another profile](../profile/profile-activate.md).


Read more about working with Yandex Cloud from a VM in [Using Yandex Cloud from within a VM](../../../compute/operations/vm-connect/auth-inside-vm.md).


#### See also

- [Managing a CLI configuration](../../concepts/index.md#manage-properties).
- [Creating a profile](../profile/profile-create.md).
- [Activating a profile](../profile/profile-activate.md).
- [Managing profile parameters](../profile/manage-properties.md).
- [Using Yandex Cloud from within a VM](../../../compute/operations/vm-connect/auth-inside-vm.md).