[Yandex Cloud documentation](../../../index.md) > [Yandex Identity and Access Management](../../index.md) > [Concepts](../index.md) > Authentication > How to choose the correct authentication method

# How to choose the appropriate authentication method in Yandex Cloud

Users and [service accounts](../users/service-accounts.md) get permissions to perform actions with Yandex Cloud resources along with [roles](../../roles-reference.md) for these resources. Identity and Access Management verifies the required permissions when a user or service account runs an operation on a Yandex Cloud resource.

For more information about assigning roles and verifying the list of permissions, see [How access management works in Yandex Cloud](../access-control/index.md).

{% note info %}

Creating service accounts and their [keys](../users/service-accounts.md#sa-key) may be prohibited by [access policies](../access-control/access-policies.md) at the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder), [cloud](../../../resource-manager/concepts/resources-hierarchy.md#cloud), or [organization](../../../organization/concepts/organization.md) level.

{% endnote %}

Use the appropriate credential type for authentication:

* [IAM token](iam-token.md) is the recommended and most secure type. It is suitable for most operations, such as [creating a VM](../../../compute/operations/vm-create/create-linux-vm.md). It does not work with certain services or APIs that require other types of credentials.

    You can set up automatic IAM token renewal using [refresh tokens](refresh-token.md) for all types of user [accounts](../users/accounts.md). This allows them to access the [Yandex Cloud CLI](../../../cli/index.md) without re-authenticating in the browser after the IAM token expires.
* [API key](api-key.md) is used for [services](api-key.md#supported-services) that do not support authentication with IAM tokens. You can limit the API key by [validity period and scope](api-key.md#scoped-api-keys).
* [Static access key](access-key.md) is suitable for authentication in services with an AWS-compatible API, such as [Yandex Object Storage](../../../storage/index.md) and [Yandex Managed Service for YDB](../../../ydb/index.md). From a static key, you can create a [temporary access key](sts.md) for Object Storage buckets.
* [Authorized key](key.md) is used in cases where you need to control all stages of issuing an IAM token. You may need it when obtaining an IAM token for a [service account](../../operations/iam-token/create-for-sa.md#via-jwt). Authorized keys are used for authentication only by applications form [Yandex Cloud Marketplace](https://yandex.cloud/en/marketplace).
* [ID token](id-token.md) is used to for Yandex Cloud service account authentication in third-party systems with [OIDC](https://en.wikipedia.org/wiki/OpenID#OpenID_Connect_(OIDC)) support. It is not suitable for authentication within Yandex Cloud.
* [Cookie](cookie.md) is only used for service purposes.


#### See also {#see-also}

[Accounts in Yandex Cloud](../users/accounts.md)