[Yandex Cloud documentation](../../../index.md) > [Yandex Identity and Access Management](../../index.md) > [Concepts](../index.md) > [Authentication](index.md) > Static access key

# Static access keys compatible with the AWS API


{% note info %}

Creating static access keys for service accounts may be prohibited by [access policies](../access-control/access-policies.md) at the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder), [cloud](../../../resource-manager/concepts/resources-hierarchy.md#cloud), or [organization](../../../organization/concepts/organization.md) level.

{% endnote %}

A static access key is required to authenticate a [service account](../users/service-accounts.md) in [AWS-compatible APIs](#supported-services).

It consists of two parts:

* Key ID
* Secret key

Both parts are used in requests to the AWS-compatible API. A key ID is specified in open format. A secret key is used to sign request parameters and is not specified in the request.

It is the client's responsibility to store the secret key. Yandex Cloud gives access to it only when [creating a static key](../../operations/authentication/manage-access-keys.md#create-access-key).

A static key has no expiration date.

{% note alert %}

Make sure no third party has access to your secret key. Keep your key in a secure location. If your key has become known to a third party, [reissue](../../operations/compromised-credentials.md#access-key-reissue) it.

{% endnote %}

To ensure security and control over access to resources, monitor cases of unauthorized use of keys, and delete unused keys without the risk of disrupting Yandex Cloud services, you can track the dates of last use of service account access keys. You can find this info on the service account page in the [management console](https://console.yandex.cloud) or in the `last_used_at` field when using the API to invoke access key management methods.

In addition to static access keys, you can use [Security Token Service](sts.md) temporary keys, also compatible with the AWS API, to work with Yandex Object Storage.

## Static key format {#access-key-format}

### Key ID {#key-id}

A key ID consists of 25 characters and always starts with `YC`. Other characters may include:

* Latin letters.
* Numbers.
* Underscores (`_`) and hyphens (`-`).

Here is an example of a key ID: `YCchbYEDdcsYFBnxSWbcjDJDn`.

### Secret key {#private-key}

A secret key consists of 40 characters and always starts with `YC`. Other characters may include:

* Latin letters.
* Numbers.
* Underscores (`_`) and hyphens (`-`).

Here is an example of a secret key: `YCVdheub7w9bImcGAnd3dZnf08FRbvjeUFvehGvc`.

For an example of using a secret key and its ID in an AWS-compatible API, see the [AWS Command Line Interface](../../../storage/tools/aws-cli.md#config-files) section.

## Services that support this authentication method {#supported-services}

The following services support authentication based on static access keys:

* [Object Storage](../../../storage/s3/index.md)
* [Message Queue](../../../message-queue/api-ref/index.md)
* [Managed Service for YDB](../../../ydb/docapi/tools/aws-setup.md)
* [Yandex Data Streams](../../../data-streams/index.md)
* [Yandex Cloud Postbox](../../../postbox/aws-compatible-api/index.md)

## Use cases {#examples}

* [Using a Yandex Lockbox secret to store a static access key](../../tutorials/static-key-in-lockbox/index.md)

#### Useful links {#see-also}

* [Creating a static access key](../../operations/authentication/manage-access-keys.md#create-access-key)
* [How to choose a suitable authentication method in Yandex Cloud](index.md)
* [Security Token Service](sts.md)
* [Using a Yandex Lockbox secret to store a static access key](../../tutorials/static-key-in-lockbox/index.md)