# Get an IAM token using JWT

+ [docs](https://cloud.yandex.com/en-ru/docs/iam/operations/iam-token/create-for-sa#via-jwt)
+ [getting service account ID](https://cloud.yandex.com/en-ru/docs/iam/operations/sa/get-id)
+ [service account page](https://console.cloud.yandex.com/folders/b1g3aavp9tndrdr9q148/service-account/aje3tjuga4fhvts05btv)
+ [creating authorized keys](https://cloud.yandex.com/en-ru/docs/iam/operations/authorized-key/create)


## Getting YA keys

### Dev env

+ name : vow-dev
+ service account id : aje3tjuga4fhvts05btv


### Set service account name for the context

In [None]:
$ENV:YA_SACC_NAME='vow-dev'

### Get service account id

In [None]:
yc iam service-account get $ENV:YA_SACC_NAME

### Create authorized keys 
Will create key every time you run it !

In [None]:
# yc iam key create --service-account-name $ENV:YA_SACC_NAME -o ya-keys/vow-dev.json

## Getting IMA token

[docs](https://cloud.yandex.com/en-ru/docs/iam/operations/iam-token/create-for-sa#via-jwt)

In [None]:
#r "nuget:jose-jwt"
#r "nuget:BouncyCastle"

open System
open System.Collections.Generic
open System.IO
open System.Security.Cryptography
open Jose
open Org.BouncyCastle.Crypto.Parameters
open Org.BouncyCastle.OpenSsl
open Org.BouncyCastle.Security

let serviceAccountId = "ajepg0mjt06siua65usm"
let keyId = "lfkoe35hsk58aks301nl"
let now = DateTimeOffset.UtcNow.ToUnixTimeSeconds()

let headers = [ "kid", keyId :> obj] |> Map.ofSeq

let payload = [
    ("aud", "https://iam.api.cloud.yandex.net/iam/v1/tokens" :> obj)
    ("iss", serviceAccountId :> obj)
    ("iat", now :> obj)
    ("exp", (now + int64 3600) :> obj) ] |> Map.ofSeq

let pemStream = File.OpenText("./ya-keys/key-1.pem")
let privateKeyParams = PemReader(pemStream).ReadObject() :?> RsaPrivateCrtKeyParameters

printfn "%O" privateKeyParams

let rsa = new RSACryptoServiceProvider()
rsa.ImportParameters(DotNetUtilities.ToRSAParameters privateKeyParams)
let encodedToken = Jose.JWT.Encode(payload, rsa, JwsAlgorithm.PS256, headers)


In [None]:
#r "nuget:System.IdentityModel.Tokens.Jwt"

open Microsoft.IdentityModel.Tokens
open System
open System.IdentityModel.Tokens.Jwt
open System.Security.Claims
open System.Security.Claims
open System.Security.Cryptography

let createSignedToken (signingCredentials: SigningCredentials) (expireInMinutes: int) (claims: Claim seq) =
    let subject = claims |> ClaimsIdentity
    let tokenHandler = JwtSecurityTokenHandler()
    // let key = Encoding.ASCII.GetBytes secret
    let issuedAt = DateTime.UtcNow
    // TODO : Not before will be added automatically and could potentially fails if user PC time is wrong
    // Should be able set skew on client ?
    let issuedAtSkew = issuedAt.AddMinutes(float -1)

    let expires =
        issuedAt.AddMinutes(float expireInMinutes)

    SecurityTokenDescriptor
        (Subject = subject,
            Expires = Nullable(expires),
            SigningCredentials = signingCredentials,
            IssuedAt = Nullable(issuedAt),
            NotBefore = Nullable(issuedAtSkew))
    |> tokenHandler.CreateToken
    |> tokenHandler.WriteToken

let createRS256Key () =
    let rsa = RSA.Create()
    let pemStream = File.ReadAllBytes("./ya-keys/key-1.pem") :> Span<byte>
    let z = ReadOnlyMemory(Encoding.UTF8.GetBytes(pemStream))    
    rsa.ImportFromPem(z)
    //RsaSecurityKey(rsa.ExportParameters(true))

// let creds = SigningCredentials((createHS256Key secret), SecurityAlgorithms.HmacSha256Signature)

Stopped due to error


In [None]:
#r "nuget:JWT"

open JWT
open JWT.Builder
open JWT.Algorithms

let serviceAccountId = "ajepg0mjt06siua65usm"
let keyId = "lfkoe35hsk58aks301nl"
let now = DateTimeOffset.UtcNow.ToUnixTimeSeconds()

let headers = [ "kid", keyId :> obj] |> Map.ofSeq

let payload = [
    ("aud", "https://iam.api.cloud.yandex.net/iam/v1/tokens" :> obj)
    ("iss", serviceAccountId :> obj)
    ("iat", now :> obj)
    ("exp", (now + int64 3600) :> obj) ] |> Map.ofSeq 

let createRSA filePath =
    let chars = File.ReadAllText(filePath) |> Seq.toArray
    let span = System.ReadOnlySpan(chars)
    let rsa = RSA.Create()
    rsa.ImportFromPem(span)
    rsa


//let pub = RSA.Create().ImportFromPem("pub.pem")
//let priv = RSA.Create().ImportFromPem("pub.pem")
//let rsaAlgo = RS256Algorithm(pub, priv)    

let rsaPriv = createRSA "./ya-keys/priv.pem"
let rsaPub = createRSA "./ya-keys/pub.pem"

printfn "%s" (rsaPriv.ToXmlString true)
printfn "%s" (rsaPub.ToXmlString false)
//printfn "%s" (rsaPriv.ToXmlString false)

let rsaAlgo = RS256Algorithm (rsaPub, rsaPriv)    

//let encoder = JwtEncoder(rsaAlgo, (JsonNetSerializer() :> IJsonSerializer), JwtBase64UrlEncoder())

let builder = JwtBuilder.Create().AddHeader(HeaderName.KeyId, keyId).WithAlgorithm(rsaAlgo).AddClaims(payload)
let str = builder.Encode()

printfn "%s" str



<RSAKeyValue><Modulus>jI8NwBueFsdPirQd7gy5TpO53piEHi8b5Qypo/9jQJ5jR53ijPJsrleu/aT02DoU9CsKa3iHjhQ0579vty3Ws43KE7fIntPWvtCwJs+2Xh1OD1K4Dh2PeOTlyJcIh9ajmqZkGD5oRNxYatqfqpwe2/RpSAAglML2ogjp95Bu5lJkLPdiZfVNuw9xQ7dCvZc+m1NHG8h92SGpk2zlVcUKh0myjscwhfe3bEE/xUZACwHmXWM19ltDRagfYq4V5CV4iHyu7RlxgrgfmYWlPfBNZta4uRyNz1fLu4IJuOajBCaQJkn/sdxqQQIBd5w7QASPhQqEiQdjD/5VAPEpO0B/ww==</Modulus><Exponent>AQAB</Exponent><P>3ayrQxI0o9oGU9A3dbmPptxmWYZHvBIDiIvadm0sYcjZRl/YxhV+WeVANJVos+/p32R4qe2IZB8x/ONn/VzvRUx4pO9oYA4xoqJM+Ppuc569JdNX44lARas4HlfTiP2uPZda+d55yF+gvUmG39BqLpaTAqZQxiC+cY7ZIUAqFGc=</P><Q>olLnC4x+nWCr4taILRXHRkq/a4JT73YH2aZQVsd5LTOFo6M9WwaermMOZ6jMqdb6CcO1nxKAvkteR/qjTRVNhEE/1GdZb8vsVoeSTRzMXrNJBIoaF3heoQuqrmiHdHaueIXhONBsVE5uZfSYCpRdEz8Uk9G2OfiIcDEERqcvAEU=</Q><DP>DBozN3Q0/4UVt1m0zW6WEywRQm38WJ47JydLhA+tzqDii98LvLTLsyi6+qP1lW1RvWqE0/It8hlp5z6bHNAIGCZ2p7qSXjwoJZLq1OUHRrSx6vDA6aFCqwsQA0gUOnRvINm0k9O7nl7qLatn+6wrP+Pkns5ptodvHlAINrKEGZ0=</DP><DQ>VZY2ol06qUo+dwU8meEAyCxDT7FRBlKKgxTxCUB1wQKIdSZuBF+yLSqn




<RSAKeyValue><Modulus>jI8NwBueFsdPirQd7gy5TpO53piEHi8b5Qypo/9jQJ5jR53ijPJsrleu/aT02DoU9CsKa3iHjhQ0579vty3Ws43KE7fIntPWvtCwJs+2Xh1OD1K4Dh2PeOTlyJcIh9ajmqZkGD5oRNxYatqfqpwe2/RpSAAglML2ogjp95Bu5lJkLPdiZfVNuw9xQ7dCvZc+m1NHG8h92SGpk2zlVcUKh0myjscwhfe3bEE/xUZACwHmXWM19ltDRagfYq4V5CV4iHyu7RlxgrgfmYWlPfBNZta4uRyNz1fLu4IJuOajBCaQJkn/sdxqQQIBd5w7QASPhQqEiQdjD/5VAPEpO0B/ww==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>




eyJraWQiOiJsZmtvZTM1aHNrNThha3MzMDFubCIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJhdWQiOiJodHRwczovL2lhbS5hcGkuY2xvdWQueWFuZGV4Lm5ldC9pYW0vdjEvdG9rZW5zIiwiZXhwIjoxNjIyODkxMzA3LCJpYXQiOjE2MjI4ODc3MDcsImlzcyI6ImFqZXBnMG1qdDA2c2l1YTY1dXNtIn0.K_ftTtL2sUzG1EX9gzb5F98tWoRIzNUoB1RtmSlyw6AopE5SQVzvlTiEZH-_2afMGnh-s7c9_sIUs4qodw8VT9n-FO3HMzbT4xxiYq5t2rGByl8YMIcnUCu1htc6s1cIIlXtVacyTUBIUKjCbs1qiCMFRDL6YwDKjl5FIBxWE2pKoqLNFaB4Ez0xTRjDRQJwL-9CiKy9mUhFdnKfKlUSpToGBgTF4Ylcx3TTRSZU1jM1wICv7BFefYnzYlb2g7qZF9HnbvtRpeqrLu4jP4oErEB-XsP91iUor35YRDHDw5haE56rJlSXacaSgbGHC2NkC3KlZTicM6c3SsNS4CfpVQ


