Yandex Identity and Access Management
The IAM service controls access to resources and lets you configure access rights. You determine who should have rights for a certain resource and what these rights are, while IAM grants access according to the assigned rights.
With IAM, you can:
- Grant access to resources.
- Manage accounts in Yandex.Cloud.
- Manage authorization keys.
- Log in to Yandex.Cloud.
Access
To grant a user access to a resource, you assign them roles for the resource. Each role consists of a set of permissions that describe operations that can be performed with the resource.
Before performing an operation with a certain resource (such as creating a VM), Yandex.Cloud sends a request to the IAM service to check whether this operation is allowed. IAM compares the list of required permissions to the list of permissions granted to the user performing this operation. If some of the permissions are missing, the operation is not allowed and Yandex.Cloud returns an error. For more information, see How access management in Yandex.Cloud works.
Accounts
Users performing operations with resources are identified via Yandex.Passport accounts and service accounts.
Note
Billing accounts aren't used for managing resources in Yandex.Cloud and aren't part of IAM. For more information, see Billing accounts in the billing documentation.
Yandex.Passport accounts
A Yandex.Passport account is your Yandex or Yandex.Connect account. You need a Yandex.Passport account to manage resources from the management console.
Service accounts
A service account is an account that can be used by a program to manage resources in Yandex.Cloud via the API.
By using service accounts you can flexibly configure access rights to resources for programs you have written. For more information, see Service accounts.
Authorization keys
There are three different kinds of authorization keys in Yandex.Cloud:
- API keys: Used instead of IAM tokens for simplified authorization.
- Authorized keys: Used to obtain IAM tokens for service accounts.
- Static access keys — Used in services with AWS-compatible APIs.
These keys are currently only used for service accounts.
Authorization
The user has to pass authorization so that IAM can check the user's rights. Authorization is performed in different ways, depending on the type of account and the interface used. For more information, see Authorization in Yandex.Cloud.