Access management

In this section, you'll learn:

About access management

All transactions in Yandex.Cloud are checked by the Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.

To grant permission to a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, service account, or system group. For more information, see How access management in Yandex.Cloud works.

What resources you can assign roles to

Now you can assign roles for a cloud and folder. These roles also apply to nested resources.

What roles exist in the service

The diagram shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all viewer role permissions. A description of each role is given under the diagram.


Active roles in the service:

  • Service roles:
  • Primitive roles:
    • viewer: Only lets you view information about the resources.

    • editor: Lets you manage resources (create, edit, and delete).

    • admin: Lets you manage resources and access them.

What roles do I need

The table below lists the roles needed to perform a given action. You can always assign a role granting more permissions than the role specified. For example, you can assign editor instead of viewer.

Action Methods Required roles
View data
Get a list of registries list container-registry.images.puller for the folder
Get information about registries, Docker images, and repositories get, list container-registry.images.puller for the registry containing the resources
Pull a Docker image from a registry container-registry.images.puller
for the specified registry
Manage resources
Create registries in a folder create editor for the folder
Update and delete registries update, delete editor for the specified registry
Create Docker images using basic Docker images from the registry container-registry.images.puller
for the specified registry
Create Docker images without using basic Docker images from the registry No roles required
Push Docker images to the registry container-registry.images.pusher
for the specified registry
Delete Docker images delete editor for the registry containing the Docker image
Manage resource access
Assign a role, revoke a role, and view roles granted for the folder or cloud setAccessBindings, updateAccessBindings, listAccessBindings admin for the resource

What's next