Identity and access management
Yandex.Cloud users can only perform operations on resources that are allowed by the roles assigned to them. If a user doesn't have any roles assigned, almost all operations are forbidden. Regardless of the roles assigned, the user can view reference lists of availability zones and disk types.
To allow access to Yandex Compute Cloud resources (VMs, disks, images, and snapshots), assign the user the required roles from the list below. At this time, a role can only be assigned to a parent resource (folder or cloud), and the roles are inherited by nested resources.
Note
For more information about role inheritance, see Access rights inheritance in the Yandex Resource Manager documentation.
Assigning roles
To assign a role to a user:
-
In the management console, click
and go to Access management. -
Select the tab Users and roles.
-
In the line with the appropriate user name, click Configure roles.
-
To add a role in a cloud, click Assign role in the Roles for the cloud
section. To add a role for a folder, select the folder and click Assign role in the Roles for folders section.
-
Select the desired role from the list. For more information about roles, see Roles in the documentation on the service Yandex Identity and Access Management.
Roles
The list below shows all roles that are considered when verifying access rights in the Compute Cloud service.
Service roles
Service roles are roles that allow access to the resources of a particular service. When checking Compute Cloud resource access rights, Compute Cloud and Resource Manager service roles are considered.
compute.images.user
Role compute.images.user applies to images only. A user with the role compute.images.user can use the appropriate image when creating new disks, VM instances, and other images.
Role compute.images.user can only be assigned for a folder or cloud. Currently, you cannot assign this role for an image itself.
The role compute.images.user includes the following permissions:
- To get a list of images.
- To get information about an image.
- To get information about the last image in the specified family.
- To use the image when creating new resources.
resource-manager.clouds.member
When a new user is added to the cloud, they are automatically assigned the role of a cloud member: resource-manager.clouds.member.
This role is necessary for accessing cloud resources to everyone except the owners of the cloud and system group allAuthenticatedUsers.
This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.
Important
To enable a user to work in the cloud through the Management Console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.
resource-manager.clouds.owner
Role resource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operations with the cloud and the resources in it.
Only the cloud owner can assign to or remove from the users the role resource-manager.clouds.owner.
The cloud must have at least one owner. The only owner of the cloud cannot remove this role from oneself.
Common roles
You can assign common roles to any resource in any service.
viewer
A user with the viewer can view information about resources, for example, view a list of disks or obtain information about a VM.
editor
A user with the editor can manage any resources, such as create, stop, or start a VM, and attach or detach a disk.
In addition, the editor role includes all permissions of the viewer role.
admin
A user with the admin can manage access rights to resources, for example, allow other users to create VMs or view information about them.
In addition, the admin role includes all permissions of the role of editor.