How access management in Yandex.Cloud works
On this page, you can find out how to manage access to resources and how IAM checks access rights to them.
How are access rights verified?
All operations with resources in Yandex.Cloud are first sent for verification to IAM. For example:
- A user wants the Yandex Compute Cloud service to create a new disk in the
- The service sends a request to IAM to check whether this user is allowed to create disks in this folder.
- IAM checks if the user is a member of the cloud with the
defaultfolder and has the necessary permissions to create a disk in this folder.
- If the user does not have any of the permissions, the operation is not performed and Yandex.Cloud returns an error. If all the required permissions are granted, IAM reports this to the service.
- The service creates a new disk.
How do I perform access management?
You can also assign a role to a parent resource that access rights are inherited from, such as a folder or cloud.
Changing access rights usually takes 30 seconds or less, but it may take up to 5 minutes.
For example, you were given the right to create folders in the cloud and you were able to create one folder, but couldn't create another one. This is because the access rights have not yet been updated on the server where the second create folder operation was performed. Try creating a folder again.
Resources that roles can be assigned for
If you need to grant access to another resource, such as a VM, assign a role for the resource that access rights to that VM are inherited from, such as a folder.
Resource roles can be assigned by users with the administrator role for the resource, as well as the owners of the cloud the resource belongs to.
Each role consists of a set of permissions that describe operations that can be performed with the resource. A user can assign a role with only those permissions which are available to themselves. For example, to assign somebody the role of cloud owner, the user must be granted this role, while the admin role is not sufficient for this.
For information about what roles exist and what permissions they include, see Roles.
Subject that a role is assigned to
To assign a role, you should specify the subject this role is assigned to. From the viewpoint of IAM, a role is assigned to an access subject.
There are three types of subjects:
userAccount: a user's account on Yandex.
serviceAccount: a service account created in Yandex.Cloud.
system: a system group. At the moment, there is just one system group,
allAuthenticatedUsers, that incudes all users registered with and authenticated in Yandex.Cloud.
Binding access rights
Roles to a resource are assigned as a list of role-subject bindings. They are called access bindings. You can add or remove these bindings to control access rights to a resource.
Each binding is a single assignment of a role to a subject. To assign a user multiple roles for a resource, set a separate binding for each role.
Inheritance of access rights
If a resource has child resources, all permissions from the parent resource will be inherited by the child resources. For example, if you assign a user a role for a folder where a VM instance resides, all permissions of this role will also apply to the instance.
If a child resource is also assigned some roles, a list of permissions for this resource will be combined with a list of permissions for its parent resource.
For more information about managing access to a specific Yandex.Cloud service, see the
Access management section in the documentation on that service.
Step-by-step instructions and examples: