Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Compute Cloud
  • Getting started
    • Overview
    • Creating a Linux VM
    • Creating a Windows VM
    • Creating instance groups
  • Step-by-step instructions
    • All instructions
    • Creating VMs
      • Creating a Linux VM
      • Creating a Windows VM
      • Creating a VM from a set of disks
      • Create a VM with disks restored from snapshots
      • Creating a VM from a custom image
      • Creating a preemptible VM
      • Creating a VM with a GPU
    • DSVM
      • Overview
      • Creating a VM from a public DSVM image
    • Placement groups
      • Creating a placement group
      • Deleting a placement group
      • Creating a VM instance in a placement group
      • Adding a VM to a placement group
      • Removing a VM instance from a placement group
    • Images with pre-installed software
      • Creating a VM from a public image
      • Configuring software
      • Working with a VM based on a public image
      • Getting a list of public images
    • Getting information about a VM
      • Getting information about a VM
      • Viewing serial port output
    • Managing VMs
      • Stopping and starting a VM
      • Attaching a disk to a VM
      • Detaching a disk from a VM
      • Moving a VM to a different availability zone
      • Making a VM's public IP address static
      • Updating a VM
      • Changing VM computing resources
      • Deleting a VM
    • Working on VMs
      • Connecting to a VM via SSH
      • Connecting to a VM via RDP
      • Working with Yandex.Cloud from inside a VM
      • Installing NVIDIA drivers
    • Creating new disks
      • Creating an empty disk
    • Disk management
      • Creating a disk snapshot
      • Updating a disk
      • Deleting a disk
      • Deleting a disk snapshot
    • Creating new images
      • Uploading your image
    • Managing images
      • Deleting a disk image
    • Managing the serial console
      • Getting started
      • Connecting to a serial console via SSH
      • Connecting to a serial console via CLI
      • Start your terminal in the Windows SAC
      • Disabling access to the serial console
    • Creating instance groups
      • Creating a fixed-size instance group
      • Creating a fixed-size instance group with a load balancer
      • Creating an automatically scaled instance group
      • Creating an instance group from Container Optimized Image
    • Getting information about instance groups
      • Getting a list of groups
      • Getting information about a group
      • Getting a list of instances in a group
    • Managing instance groups
      • Update a group
      • Configure application health check on the VM
      • Update a group
        • Incremental update
        • Updating without downtime
      • Stop a group
      • Start a group
      • Delete a group
    • Dedicated hosts
      • Creating a VM in a group of dedicated hosts
      • Creating a VM on a dedicated host
  • Yandex Container Optimized Solutions
  • Scenarios
    • Configuring NTP time synchronization
    • Running instance groups with auto scaling
  • Concepts
    • Relationship between resources
    • Virtual machines
      • Overview
      • Platforms
      • vCPU performance levels
      • Graphics accelerators (GPUs)
      • Preemptible VMs
      • Network on a VM
      • Live migration
      • Placement groups
      • Statuses
      • Metadata
    • Disks
      • Overview
      • Disk snapshots
    • Images
    • Instance groups
      • Overview
      • Access
      • Instance template
      • Variables in an instance template
      • Policies
        • Overview
        • Allocation policy
        • Deployment policy
        • Scaling policy
      • Scaling types
      • Auto-healing
      • Update
        • Overview
        • Allocating instances across zones
        • Deployment algorithm
        • Rules for updating instance groups
      • Statuses
    • Dedicated host
    • Backups
    • Quotas and limits
  • Access management
  • Pricing policy
    • Current pricing policy
    • Archive
      • Before January 1, 2019
      • From January 1 to March 1, 2019
      • From March 1 to May 1, 2019
  • Compute API reference
    • Authentication in the API
    • gRPC
      • Overview
      • DiskPlacementGroupService
      • DiskService
      • DiskTypeService
      • HostGroupService
      • HostTypeService
      • ImageService
      • InstanceService
      • PlacementGroupService
      • SnapshotService
      • ZoneService
      • InstanceGroupService
      • OperationService
    • REST
      • Overview
      • Disk
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • DiskPlacementGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listDisks
        • listOperations
        • update
      • DiskType
        • Overview
        • get
        • list
      • HostGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listHosts
        • listInstances
        • listOperations
        • update
      • HostType
        • Overview
        • get
        • list
      • Image
        • Overview
        • create
        • delete
        • get
        • getLatestByFamily
        • list
        • listOperations
        • update
      • Instance
        • Overview
        • addOneToOneNat
        • attachDisk
        • create
        • delete
        • detachDisk
        • get
        • getSerialPortOutput
        • list
        • listOperations
        • removeOneToOneNat
        • restart
        • start
        • stop
        • update
        • updateMetadata
        • updateNetworkInterface
      • PlacementGroup
        • Overview
        • create
        • delete
        • get
        • list
        • listInstances
        • listOperations
        • update
      • Snapshot
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Zone
        • Overview
        • get
        • list
      • Operation
        • Overview
        • get
      • InstanceGroup
        • Overview
        • createFromYaml
        • update
        • list
        • get
        • delete
        • start
        • stop
        • create
        • listAccessBindings
        • setAccessBindings
        • updateFromYaml
        • listLogRecords
        • listInstances
        • updateAccessBindings
        • listOperations
  • Questions and answers
    • General questions
    • Virtual machines
    • Disks and snapshots
    • Licensing
    • All questions on the same page
  1. Access management

Access management

  • About access management
  • What resources you can assign roles to.
  • What roles exist in the service
    • Service roles
    • Primitive roles

In this section, you'll learn:

  • What resources you can assign roles to.
  • What roles exist in the service.

About access management

All transactions in Yandex.Cloud are checked by the Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.

To grant permission to a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, service account, or system group. For more information, see How access management works in Yandex.Cloud.

Only users with the admin or resource-manager.clouds.owner role for a resource can assign roles for this resource.

What resources you can assign roles to.

As with other services, you can assign roles for clouds, folder, and service accounts. The roles assigned for clouds and folders also apply to nested resources.

What roles exist in the service

The diagram shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all viewer role permissions. A description of each role is given under the diagram.

Service roles

Role Permissions
compute.admin Gives rights to manage virtual machines and instance groups.
compute.disks.user Lets you use disks to create new resources, such as virtual machines.
compute.images.user Lets you use images to create new resources, such as virtual machines.
iam.serviceAccounts.user Verifies the right to use the service account.
This role is required to perform operations with instance groups. If you enter a service account in the request, IAM checks that you have rights to use this account.
resource-manager.clouds.member The role required to access resources in the cloud for all users except cloud owners and service accounts.
resource-manager.clouds.owner Grants you full access to a cloud and the resources in it. You can only assign this role for a cloud.

For more information about service roles, see Roles in the Yandex Identity and Access Management documentation.

Primitive roles

Role Permissions
admin Lets you manage your resources and access to them.
editor Lets you manage resources (create, edit, and delete).
viewer Lets you only view information about resources.

What's next

  • How to assign a role.
  • How to revoke a role.
  • Learn more about access management in Yandex.Cloud.
  • For more information about role inheritance.
In this article:
  • About access management
  • What resources you can assign roles to.
  • What roles exist in the service
  • Service roles
  • Primitive roles
Language
Careers
Privacy policy
Terms of use
© 2021 Yandex.Cloud LLC