[Yandex Cloud documentation](../../../index.md) > [Yandex Identity and Access Management](../../index.md) > [Step-by-step guides](../index.md) > Authentication > Managing ephemeral access keys

# Managing ephemeral access keys

[Some Yandex Cloud services](../../concepts/authorization/ephemeral-keys.md#supported-services) support authentication with [ephemeral access keys](../../concepts/authorization/ephemeral-keys.md).

Ephemeral access keys are created for [Yandex accounts](../../concepts/users/accounts.md#passport), [federated accounts](../../concepts/users/accounts.md#saml-federation), [local users](../../concepts/users/accounts.md#local), and [service accounts](../../concepts/users/service-accounts.md).

To create an ephemeral access key, the user needs the `iam.serviceAccounts.ephemeralAccessKeyAdmin` [role](../../security/index.md#iam-serviceAccounts-ephemeralAccessKeyAdmin) or higher for the folder.

## Creating an ephemeral access key {#create}

{% note info %}

Creating ephemeral access keys for service accounts may be prohibited by [access policies](../../concepts/access-control/access-policies.md) at the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder), [cloud](../../../resource-manager/concepts/resources-hierarchy.md#cloud), or [organization](../../../organization/concepts/organization.md) level.

{% endnote %}

{% list tabs group=instructions %}

- Yandex Cloud CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the command for creating an ephemeral access key:

      ```bash
      yc iam access-key issue-ephemeral --help
      ```

  1. Create an ephemeral access key:

      ```bash
      yc iam access-key issue-ephemeral \
        --subject-id <account_ID> \
        --session-name <session_name> \
        --policy <file_path> \
        --duration <lifespan>
      ```

      Where:

      * `--subject-id`: Service account ID. If this parameter is not specified, the system will generate the key for the user sending the request.
      * `--session-name`: Session name, 1 to 64 characters long. It is required for identifying a session if the service account is [impersonated](../../concepts/access-control/impersonation.md) for multiple users. This is a required setting.
      * `--policy`: Path to the [access policy](../../../storage/concepts/policy.md) file as a [data schema](../../../storage/s3/api-ref/policy/scheme.md) in JSON format. It this parameter is not specified, the key will grant full [bucket](../../../storage/concepts/bucket.md) access.
      * `--duration`: Key lifespan, from `15m` to `12h`. It this parameter is not specified, the key lifespan will be limited to that of the current session's IAM token.

      Result:

      ```text
      access_key_id: ajelprpohp8t********
      secret: YCOs05v-KRXqhYpUINdWArH4MINhMyJ6CGU********
      session_token: s1.9muilY********
      expires_at: "2025-12-16T06:23:51.383485065Z"
      ```

  1. Save `access_key_id`, the `secret` key, and `session_token`. You will not be able to get these values again.

- API {#api}

    Use the [createEphemeral](../../awscompatibility/api-ref/TemporaryAccessKey/createEphemeral.md) REST API method for the [TemporaryAccessKey](../../awscompatibility/api-ref/TemporaryAccessKey/index.md) resource or the [TemporaryAccessKeyService/CreateEphemeral](../../awscompatibility/api-ref/grpc/TemporaryAccessKey/createEphemeral.md) gRPC API call.

{% endlist %}


## Testing bucket access {#test}

{% list tabs group=instructions %}

- AWS CLI {#cli}

  1. Make sure the account you created the ephemeral access key for has access to the relevant bucket. If it does not, [assign](../sa/assign-role-for-sa.md) your account the required [role](../../../storage/security/index.md#roles-list), e.g., [storage.viewer](../../../storage/security/index.md#storage-viewer), for the bucket.

      Alternatively, you can use [ACL](../../../storage/security/acl.md) permissions for a bucket.

  1. Add a new profile to `~/.aws/credentials`:

      ```text
      [<profile_name>]
      aws_access_key_id     = <key_ID>
      aws_secret_access_key = <secret_key>
      aws_session_token     = <session_token>
      ```

      Specify in your profile the values you got when creating the ephemeral access key:

      * `aws_access_key_id`: `access_key_id` key ID.
      * `aws_secret_access_key`: `secret` key.
      * `aws_session_token`: `session_token`.

  1. Save to the client device the object from the prefix of the bucket access was granted to:

      ```bash
      aws --endpoint https://storage.yandexcloud.net s3 cp \
        s3://<bucket_name>/<prefix><object_name> ./
      ```

      Result:

      ```text
      download: s3://<bucket_name>/<prefix><object_name> to ./<object_name>
      ```

{% endlist %}


#### Useful links {#see-also}

* [Access management methods in Object Storage: Overview](../../../storage/security/overview.md)
* [Creating a temporary access key using Security Token Service](../sa/create-sts-key.md)
* [Accessing a bucket using an ephemeral access key](../../../storage/operations/buckets/manage-ephemeral-keys.md)