# Get an IAM token using JWT

+ [docs](https://cloud.yandex.com/en-ru/docs/iam/operations/iam-token/create-for-sa#via-jwt)
+ [getting service account ID](https://cloud.yandex.com/en-ru/docs/iam/operations/sa/get-id)
+ [service account page](https://console.cloud.yandex.com/folders/b1g3aavp9tndrdr9q148/service-account/aje3tjuga4fhvts05btv)
+ [creating authorized keys](https://cloud.yandex.com/en-ru/docs/iam/operations/authorized-key/create)


## Getting YA keys

### Dev env

+ name : vow-dev
+ service account id : aje3tjuga4fhvts05btv


### Set service account name for the context

In [None]:
$ENV:YA_SACC_NAME='vow-dev'

### Get service account id

In [None]:
yc iam service-account get $ENV:YA_SACC_NAME

id: aje3tjuga4fhvts05btv


folder_id: b1g3aavp9tndrdr9q148


created_at: "2021-06-05T07:18:51Z"


name: vow-dev





### Create authorized keys 
Will create key every time you run it !

In [None]:
# yc iam key create --service-account-name $ENV:YA_SACC_NAME -o ya-keys/vow-dev.json

Now from `ya-keys/vow-dev.json`
Copy paste `public_key` field value to `ya-keys/pub.pem` replace all `\n` with real new lines

Copy paste `private_key` field value to `ya-keys/priv.pem` replace all `\n` with real new lines

## Getting IMA token

[docs](https://cloud.yandex.com/en-ru/docs/iam/operations/iam-token/create-for-sa#via-jwt)

In [None]:
#r "nuget:JWT"

open JWT
open JWT.Builder
open JWT.Algorithms

let serviceAccountId = "aje3tjuga4fhvts05btv"
let keyId = "ajecj1pr5i6075ceitkt"
let now = DateTimeOffset.UtcNow.ToUnixTimeSeconds()

let headers = [ "kid", keyId :> obj] |> Map.ofSeq

let payload = [
    ("aud", "https://iam.api.cloud.yandex.net/iam/v1/tokens" :> obj)
    ("iss", serviceAccountId :> obj)
    ("iat", now :> obj)
    ("exp", (now + int64 3600) :> obj) ] |> Map.ofSeq 

let createRSA filePath =
    let chars = File.ReadAllText(filePath) |> Seq.toArray
    let span = System.ReadOnlySpan(chars)
    let rsa = RSA.Create()
    rsa.ImportFromPem(span)
    rsa

let rsaPriv = createRSA "./ya-keys/priv.pem"
let rsaPub = createRSA "./ya-keys/pub.pem"

let rsaAlgo = RS256Algorithm (rsaPub, rsaPriv)    

let builder = JwtBuilder.Create().AddHeader(HeaderName.KeyId, keyId).AddHeader(HeaderName.Algorithm, "PS256").AddHeader(HeaderName.Type, "JWT").WithAlgorithm(rsaAlgo).AddClaims(payload)
let yaJwtStr = builder.Encode()

printfn "yaJwtToken %s" yaJwtStr



### Exchange the JWT for an IAM token
[docs](https://cloud.yandex.com/en-ru/docs/iam/operations/iam-token/create-for-sa#get-iam-token)


In [None]:
#r "nuget:jose-jwt"
#r "nuget:BouncyCastle"

open System
open System.Collections.Generic
open System.IO
open System.Security.Cryptography
open Jose
open Org.BouncyCastle.Crypto.Parameters
open Org.BouncyCastle.OpenSsl
open Org.BouncyCastle.Security

let serviceAccountId = "aje3tjuga4fhvts05btv"
let keyId = "ajecj1pr5i6075ceitkt"
let now = DateTimeOffset.UtcNow.ToUnixTimeSeconds();

let headers = [ ("kid", keyId :> obj); ("type", "JWT" :> obj)] |> Map.ofSeq

let payload = [
    ("aud", "https://iam.api.cloud.yandex.net/iam/v1/tokens" :> obj)
    ("iss", serviceAccountId :> obj)
    ("iat", now :> obj)
    ("exp", (now + int64 3600) :> obj) ] |> Map.ofSeq 


let createRSA filePath =
    let chars = File.ReadAllText(filePath) |> Seq.toArray
    let span = System.ReadOnlySpan(chars)
    let rsa = RSA.Create()
    rsa.ImportFromPem(span)
    rsa

let rsaPriv = createRSA "./ya-keys/priv.pem"
let rsaPub = createRSA "./ya-keys/pub.pem"

let yaJwtToken = Jose.JWT.Encode(payload, rsaPriv, JwsAlgorithm.PS256, headers)

printfn "yaJwtStr %s" yaJwtToken



yaJwtStr 

eyJhbGciOiJQUzI1NiIsImtpZCI6ImFqZWNqMXByNWk2MDc1Y2VpdGt0IiwidHlwZSI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL2lhbS5hcGkuY2xvdWQueWFuZGV4Lm5ldC9pYW0vdjEvdG9rZW5zIiwiZXhwIjoxNjIyODkzOTAwLCJpYXQiOjE2MjI4OTAzMDAsImlzcyI6ImFqZTN0anVnYTRmaHZ0czA1YnR2In0.Eyn1P8uSOnDkY1RGTr_YF4mnnv2wI3I88mxIAgLTAG9GV_e7vwDKRWkogey4tibHZaz7sLP8Act_HlMXq_NajbzrqqGGE4zfMZ6wdpFEvggB3JcwtypS9G7ATrrZSwJKBLTEf9BGca7pUBbng7Mip-3970CsGcAnJQlZy6Wz3wIsDQzgLozJLAShG8efQFxFXtmQERlB001FUHNSY73Hu4_bAVczmsQ44ZhKk-NDml-UApM9eBtYtpY2Qnhb66FUPb_GeCRd_4O8thcOxu3AML-D-ZESazRr7VVgfPPkTOgLOJznqcGMysK4IhHZZxJu1QmjbG9GnauTfW41vgVvxw




In [None]:
#!fsharp

#r "nuget:Oryx"
#r "nuget:Oryx.SystemTextJson"

let YA_TOKENS_URL="https://iam.api.cloud.yandex.net/iam/v1/tokens"

open Oryx
open Oryx.SystemTextJson.ResponseReader
open System.Net.Http
open System.Threading.Tasks
open System.Text.Json

let options = JsonSerializerOptions()

let body = {|
        jwt = yaJwtToken
    |}

let bodyContent = Json.JsonContent.Create body :> HttpContent

type Response = {
    iamToken: string
    code: int
    message: string
}

let request = 
    POST 
    >=> withUrl YA_TOKENS_URL 
    >=> withContent (fun _ -> bodyContent)
    >=> fetch
    >=> json<Response> options

let client = new HttpClient ()
let ctx = 
    HttpContext.defaultContext     
    |> HttpContext.withHttpClient client 

let yaIamTokenResult = request |> runAsync ctx |> Async.AwaitTask |> Async.RunSynchronously

let yaIamToken = 
    match yaIamTokenResult with
    | Ok yaIamToken -> 
        printfn "yaIamToken error %O" yaIamToken
        ""
    | Error err -> 
        printfn "yaIamToken error %O" err
        ""

printfn "yaIamToken %s" yaIamToken


yaIamToken error 

{ code = 0
  message = null }




yaIamToken 




