[Yandex Cloud documentation](../index.md) > [Terraform in Yandex Cloud](index.md) > Setting up Yandex Cloud Terraform provider authentication

# Setting up Yandex Cloud Terraform provider authentication

To authenticate and manage your Yandex Cloud infrastructure, you can use Terraform as a:
* [Service account](../iam/concepts/users/service-accounts.md) using an [IAM token](#service-account) or [authorized key](#service-account-key).
* [User account](#users).
    * [Yandex account](../iam/concepts/users/accounts.md#passport).
    * [Federated account](../iam/concepts/users/accounts.md#saml-federation).
    * [Local user](../iam/concepts/users/accounts.md#local).


## Authenticating as a service account using an IAM token {#service-account}

The authentication procedure is based on getting a temporary IAM token with the help of the Yandex CLI and delivering it to Terraform. This makes your Terraform configuration universal and secure, because the IAM token is not saved in configuration files, and the code describes only the resource creation logic without being associated with a particular cloud or folder.

A service account using [impersonation](../iam/concepts/access-control/impersonation.md) is the recommended and most secure way to get authenticated.

When creating an IAM token, impersonate the service account you created by specifying its ID in the `--impersonate-service-account-id` parameter. As a result, Terraform will manage the folder's resources under the service account and use the service account's IAM token.

{% note info %}

To use impersonation, the user must have the `iam.serviceAccounts.tokenCreator` [role](../iam/security/index.md#iam-serviceAccounts-tokenCreator) for the service account.

{% endnote %}

To authenticate as a service account:

1. If you do not have the Yandex Cloud CLI yet, [install it](../cli/operations/install-cli.md).

1. In the Yandex Cloud CLI, [create](../cli/operations/profile/profile-create.md) a new profile or [activate](../cli/operations/profile/profile-activate.md) a previously created one.

1. Authenticate under your [Yandex account](../cli/operations/authentication/user.md), [federated](../cli/operations/authentication/federated-user.md) account, or [local](../cli/operations/authentication/local-user.md) user account.

1. If you do not have a service account, [create](../iam/operations/sa/create.md) one.

1. [Assign](../iam/operations/sa/assign-role-for-sa.md) the service account the roles needed to manage Yandex Cloud resources.

1. Write the credentials to the environment variables using impersonation:

    - Bash {#bash}

      ```bash
      export YC_TOKEN=$(yc iam create-token --impersonate-service-account-id <service_account_ID>)
      export YC_CLOUD_ID=$(yc config get cloud-id)
      export YC_FOLDER_ID=$(yc config get folder-id)
      ```

    - PowerShell {#powershell}

      ```powershell
      $Env:YC_TOKEN=$(yc iam create-token --impersonate-service-account-id <service_account_ID>)
      $Env:YC_CLOUD_ID=$(yc config get cloud-id)
      $Env:YC_FOLDER_ID=$(yc config get folder-id)
      ```

    {% endlist %}

    Where `<service_account_ID>` is the service account ID.

As a result, the service account's IAM token, cloud ID, and folder ID will be saved in the environment variables.

{% note info %}

This IAM token will be used to authenticate each operation until the end of the token's [lifetime](../iam/concepts/authorization/iam-token.md) (not more than 12 hours). After this, you will need to authenticate again. To have the IAM token reissued automatically, use a script or other means of automation. 

To extend the period during which you do not have to authenticate in the browser, use [refresh tokens](../iam/concepts/authorization/refresh-token.md), which allow you to reissue IAM tokens without entering the browser. Do it by enabling refresh tokens [at the organization level](../iam/concepts/authorization/refresh-token.md#token-enabling) and [initializing DPoP protection](../iam/concepts/authorization/refresh-token.md#enabling-dpop) in the CLI.

{% endnote %}

When specifying provider settings in a Terraform configuration file with no sensitive data disclosed, keep this in mind:


```hcl
provider "yandex" {
  # Do not specify `cloud_id`, `folder_id`, or `token`, as
  # your provider automatically fetches them from the environment variables

  zone = "<availability_zone>"
}
```



Where `zone` is the default [availability zone](../overview/concepts/geo-scope.md) for all your cloud resources.

When employing such a configuration, use Terraform free of any additional flags, as your provider automatically fetches them from the environment variables.


## Authenticating as a service account using an authorized key {#service-account-key}

Allows you to routinely authenticate with the same authorized key you once generated. A long-lived key, however, is less secure than [impersonation and an IAM token](#service-account).

To authenticate as a service account using an authorized key:
1. If you do not have a service account, [create](../iam/operations/sa/create.md) one.
1. [Assign](../iam/operations/sa/assign-role-for-sa.md) to the service account the roles it needs to manage Yandex Cloud resources.
1. [Create](../iam/operations/authentication/manage-authorized-keys.md#create-authorized-key) an authorized key for the service account and save it to the `key.json` file.
1. Write your sensitive data, namely authorized key file path, cloud and folder IDs, into environment variables:

    {% list tabs group=programming_language %}

    - Bash {#bash}

      ```bash
      export YC_SERVICE_ACCOUNT_KEY_FILE="<key_file_path>"
      export YC_CLOUD_ID="<cloud_ID>"
      export YC_FOLDER_ID="<folder_ID>"
      ```

    - PowerShell {#powershell}

      ```powershell
      $Env:YC_SERVICE_ACCOUNT_KEY_FILE="<key_file_path>"
      $Env:YC_CLOUD_ID="<cloud_ID>"
      $Env:YC_FOLDER_ID="<folder_ID>"
      ```

    {% endlist %}

    Where:

    * `YC_SERVICE_ACCOUNT_KEY_FILE`: Path to the authorized key file named `key.json`.
    * `YC_CLOUD_ID`: Cloud ID.
    * `YC_FOLDER_ID`: Folder ID.

    {% note info %}

    When running the `plan` and `apply` commands, you can provide these values directly as command line arguments without specifying them in the configuration:

    ```bash
    terraform apply -var="cloud_id=<cloud_ID>" -var="folder_id=<folder_ID>"
    ```

    {% endnote %}

When specifying provider settings in a Terraform configuration file with no sensitive data disclosed, keep this in mind:


```hcl
provider "yandex" {
  # Do not specify `cloud_id`, `folder_id`, or `token`, as
  # your provider automatically fetches them from the environment variables

  zone = "<availability_zone>"
}
```



Where `zone` is the default [availability zone](../overview/concepts/geo-scope.md) for all your cloud resources.

When employing such a configuration, use Terraform free of any additional flags, as your provider automatically fetches them from the environment variables.


## Authenticating as a user account {#user}

The authentication procedure is based on getting a temporary IAM token with the help of the Yandex CLI and delivering it to Terraform. This makes your Terraform configuration universal and secure, because the IAM token is not saved in configuration files, and the code describes only the resource creation logic without being associated with a particular cloud or folder.

{% note warning %}

It is less secure to manage resources as a user account than as a service account.

{% endnote %}

To authenticate as a user account:

1. If you do not have the Yandex Cloud CLI yet, [install it](../cli/operations/install-cli.md).

1. In the Yandex Cloud CLI, [create](../cli/operations/profile/profile-create.md) a new profile or [activate](../cli/operations/profile/profile-activate.md) a previously created one.

1. Authenticate as a [Yandex account](../cli/operations/authentication/user.md), [federated](../cli/operations/authentication/federated-user.md) user, or [local](../cli/operations/authentication/local-user.md) user.

1. Write your profile’s sensitive data, namely IAM token, cloud and folder IDs, into environment variables:
   
   {% list tabs group=programming_language %}
   
   - Bash {#bash}
   
     ```bash
     export YC_TOKEN=$(yc iam create-token)
     export YC_CLOUD_ID=$(yc config get cloud-id)
     export YC_FOLDER_ID=$(yc config get folder-id)
     ```
   
   - PowerShell {#powershell}
   
     ```powershell
     $Env:YC_TOKEN=$(yc iam create-token)
     $Env:YC_CLOUD_ID=$(yc config get cloud-id)
     $Env:YC_FOLDER_ID=$(yc config get folder-id)
     ```
   
   {% endlist %}
   
   Where:
   
   `yc iam create-token`: Getting an IAM token for the current session.
   `yc config get cloud-id`: Getting the cloud ID from the current CLI profile.
   `yc config get folder-id`: Getting the folder ID from the current CLI profile.
   
   
   As the result, the IAM token, cloud ID, and folder ID will be saved in the environment variables.

{% note info %}

This IAM token will be used to authenticate each operation until the end of the token's [lifetime](../iam/concepts/authorization/iam-token.md) (not more than 12 hours). After this, you will need to authenticate again. To have the IAM token reissued automatically, use a script or other means of automation. 

To extend the period during which you do not have to authenticate in the browser, use [refresh tokens](../iam/concepts/authorization/refresh-token.md), which allow you to reissue IAM tokens without entering the browser. Do it by enabling refresh tokens [at the organization level](../iam/concepts/authorization/refresh-token.md#token-enabling) and [initializing DPoP protection](../iam/concepts/authorization/refresh-token.md#enabling-dpop) in the CLI.

{% endnote %}

When specifying provider settings in a Terraform configuration file with no sensitive data disclosed, keep this in mind:


```hcl
provider "yandex" {
  # Do not specify `cloud_id`, `folder_id`, or `token`, as
  # your provider automatically fetches them from the environment variables

  zone = "<availability_zone>"
}
```



Where `zone` is the default [availability zone](../overview/concepts/geo-scope.md) for all your cloud resources.

When employing such a configuration, use Terraform free of any additional flags, as your provider automatically fetches them from the environment variables.