Yandex Identity and Access Management

The IAM service controls access to resources and provides functionality for setting up access rights. You determine who should have rights to a certain resource and what these rights are, while IAM grants access according to the assigned rights.

With IAM, you can:


To grant a user access to a resource, you assign them roles for the resource. Each role consists of a set of permissions that describe operations that can be performed with the resource.

Before performing an operation with a certain resource (for example, creating a VM), Yandex.Cloud sends a request to the IAM service to check whether this operation is allowed. IAM compares the list of required permissions to the list of permissions granted to the user who is performing this operation. If some of the permissions are missing, the operation is not allowed and Yandex.Cloud returns an error. For more information, see the section How access management in Yandex.Cloud works.


Users who are performing operations with resources are identified via Yandex.Passport accounts and service accounts.


Billing accounts are not used for resource management in Yandex.Cloud and do not pertain to the IAM service. For more information, see the section Billing account in the billing documentation.

Yandex.Passport account

A Yandex.Passport account is your Yandex or Yandex.Connect account. You need a Yandex.Passport account for managing resources via the management console.

Service account

A service account is an account that can be used by a program to manage resources in Yandex.Cloud via the API.

By using service accounts you can flexibly configure access rights to resources for programs you have written. For more information, see Service accounts.


The user has to go through authorization so that IAM can check the user's rights. Authorization is performed in different ways, depending on the type of account and the interface used. For more information, see the section Authorization in Yandex.Cloud.