Roles
A role is a set of user permissions to perform operations with Yandex.Cloud resources.
There are two types of roles:
-
Primitive roles contain permissions that apply to all types of Yandex.Cloud resources. These are roles like
admin
,editor
, andviewer
. -
Service roles contain permissions only for a specific type of resource in a particular service. Service role ID is specified in
service.resources.role
format. For example, thecompute.images.user
role lets you use images in Yandex Compute Cloud.A service role can be assigned to the resource that the role is intended for or the resource that permissions are inherited from. For example, you can assign the
compute.images.user
role for a folder or cloud, because images inherit permissions from them.
Currently, users aren't allowed to create new roles with a custom set of permissions.
Primitive roles
viewer
The viewer
role grants permission to read resources.
For example, the viewer
role lets you perform the following operations:
- View information about a resource.
- Get a list of nested resources, such as a list of VMs in a folder.
- View a list of operations with a resource.
editor
The editor
role grants permissions to perform any operation related to resource management, except assigning roles to other users. The editor
role includes all permissions granted by the viewer
role.
For example, the editor
role lets you perform the following operations:
- Create a resource.
- Update a resource.
- Delete a resource.
admin
The admin
role grants all permissions to manage the resource, including assigning roles to other users. You can assign any role except resource-manager.clouds.owner
.
The admin
role includes all permissions granted by the editor
role.
For example, the admin
role lets you perform the following operations:
- Set permissions to the resource.
- Change permissions to the resource.
Certificate Manager
certificate-manager.admin
Use the certificate-manager.admin
role to manage your certificates and access to them.
certificate-manager.certificates.downloader
The certificate-manager.certificates.downloader
role lets you get the contents of a certificate: a chain and a private key.
Compute Cloud
compute.admin
The compute.admin
role includes the following permissions:
- Create and edit virtual machines.
- Create and edit disks and disk snapshots.
- Create and edit images.
- Manage instance groups.
- Use network resources on virtual machines and instance groups (connect to subnets and use security groups).
Currently, this role can only be assigned for a folder or cloud.
compute.disks.user
The compute.disks.user
role includes the following permissions:
- Get a list of disks.
- Get information about a disk.
- Use a disk to create new resources (images, snapshots, new disks, and virtual machines).
These permissions are also included in the editor
, admin
, and resource-manager.cloud.owner
roles.
Note
This role is not sufficient to mark the disk as automatically deletable when creating a virtual machine. To do this, use the editor
role.
Currently, this role can only be assigned for a folder or cloud.
compute.images.user
The compute.images.user
role includes the following permissions:
- Get a list of images.
- Get information about an image.
- Get information about the last image in the specified family.
- Use an image to create new resources (virtual machines, disks, or other images).
These permissions are also included in the editor
, admin
, and resource-manager.cloud.owner
roles.
Currently, this role can only be assigned for a folder or cloud.
Container Registry
container-registry.admin
The container-registry.admin
role includes the following permissions:
Currently, this role can only be assigned for a folder or cloud.
container-registry.images.puller
The container-registry.images.puller
role includes the following permissions:
- Get a list of registries.
- Get information about registries.
- Get a list of Docker images.
- Get information about Docker images.
Currently, this role can only be assigned for a folder or cloud.
container-registry.images.pusher
The container-registry.images.pusher
role includes the following permissions:
- Getting a list of registries.
- Getting information about registries.
- Getting a list of Docker images.
- Getting information about Docker images.
- Creating Docker images.
- Editing Docker images.
- Deleting Docker images.
Currently, this role can only be assigned for a folder or cloud.
Data Proc
dataproc.agent
The dataproc.agent
role allows the service account assigned to the Data Proc cluster to notify the service of the status of each host in the cluster.
This role must be assigned to the service account specified when creating the cluster.
Currently, this role can only be assigned for a folder or cloud.
mdb.dataproc.agent
Warning
The mdb.dataproc.agent
role will soon be discontinued. Users with this role will automatically be assigned the dataproc.agent
role with the same rights.
An obsolete role granting the same rights as dataproc.agent. We don't recommend using it.
Currently, this role can only be assigned for a folder or cloud.
DataLens
datalens.instances.user
The datalens.instances.user
role provides access to DataLens.
After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
For more information about managing access to DataLens, see Managing access to DataLens.
Currently, this role can only be assigned for a folder or cloud.
datalens.instances.admin
The datalens.instances.admin
role provides access to DataLens.
The role is automatically assigned to the DataLens instance creator. The administrator has datalens.instances.user
permissions and can also change the pricing plan and purchase paid content in the Cloud Marketplace
.
After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
For more information about managing access to DataLens, see Managing access to DataLens.
Currently, this role can only be assigned for a folder or cloud.
DataSphere
datasphere.user
The datasphere.user
role lets the user view the list of projects and work with existing projects. The user can't create or delete projects.
datasphere.admin
The datasphere.admin
role lets the user create, edit, and delete projects in DataSphere, as well as view the list of cloud folders.
The datasphere.admin
role also includes all datasphere.user
role permissions.
Functions
serverless.functions.invoker
The serverless.functions.invoker
role grants permission to run functions.
For now, a role can only be assigned for a parent resource (folder or cloud), and roles are inherited by nested resources.
To find out how to assign this role, see Managing rights to access functions.
Identity and Access Management
iam.serviceAccounts.user
The iam.serviceAccounts.user
role means that the user has the right to use service accounts.
This role is necessary when the user asks the service to perform operations on behalf of a service account.
For example, when creating an instance group, you specify the service account and the IAM checks whether you have permission to use it.
The following permissions are included in the iam.serviceAccounts.user
role:
- Get a list of service accounts
- Get information about a service account
- Use the service account to perform operations on its behalf
These permissions are also included in the editor
, admin
, and resource-manager.cloud.owner
roles.
Yandex IoT Core
iot.devices.writer
Users with the iot.devices.writer
role can send gRPC messages to Yandex IoT Core on behalf of devices.
iot.registries.writer
Users with the iot.registries.writer
role can send gRPC messages to Yandex IoT Core on behalf of registries.
Network Load Balancer
load-balancer.viewer
The load-balancer.viewer
role lets you view resource model objects:
Currently, this role can only be assigned for a folder or cloud.
load-balancer.privateAdmin
The load-balancer.privateAdmin
role lets you create, update, and delete load balancers and target groups. However, this role doesn't let you make a load balancer available from the internet. For this, you need the load-balancer.admin
role.
Currently, this role can only be assigned for a folder or cloud.
load-balancer.admin
The load-balancer.admin
role lets you:
- Create, update, and delete load balancers and target groups.
- Assign a public IP address to a load balancer.
Note
If you have both the load-balancer.admin
role and the create VM permission, you can create VMs with public IPs. If this is not what you want, use the load-balancer.privateAdmin
role.
Currently, this role can only be assigned for a folder or cloud.
Object Storage
storage.admin
The storage.admin
role is intended for managing Object Storage. Users with this role can:
- Create buckets.
- Delete buckets.
- Assign an access control list (ACL).
- Manage any bucket object.
- Manage any bucket website.
- Configure other bucket parameters and objects in the bucket.
This role can grant other users access to a bucket or a specific object in it.
This role can be assigned by the administrator of the cloud (the admin
role).
storage.configurer
Users with the storage.configurer
role can manage the settings of object lifecycles, static website hosting, and CORS.
They do not have permission to manage access control list (ACL) or public access settings. They do not have access to bucket data.
storage.editor
Users with the storage.editor
role can perform any operation with buckets and objects in the folder: create (including a publicly accessible bucket), delete, and edit them.
This role doesn't let you manage access control list (ACL) settings.
storage.uploader
Users with the storage.uploader
role can upload objects to a bucket and overwrite previously uploaded ones.
This role doesn't let you delete objects or configure buckets.
storage.viewer
The storage.viewer
role gives you read access to the list of buckets, settings, and data.
Resource Manager
resource-manager.clouds.member
When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member
.
Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.
This role alone doesn't give you the right to perform any operations and is only used in combination with other roles, such as admin
, editor
, or viewer
.
resource-manager.clouds.owner
Theresource-manager.clouds.owner
is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.
Only the cloud owner can assign users the resource-manager.clouds.owner
role.
A cloud must have at least one owner. The sole owner of a cloud may not give up this role.
Virtual Private Cloud
vpc.viewer
The vpc.viewer
role lets you view resource model objects:
- Networks and subnets.
- Static route tables.
- Addresses.
- Security groups.
Currently, this role can only be assigned for a folder or cloud.
vpc.user
The vpc.user
role lets you connect to VPC network resources and use them. It includes all permissions of the vpc.viewer
role and permission to:
- Use networks and subnets.
- Use static routes.
- Assign static addresses to VMs.
- Assign security groups to VM network interfaces.
Currently, this role can only be assigned for a folder or cloud.
vpc.privateAdmin
The vpc.privateAdmin
role lets you manage connectivity between VMs and managed database clusters within Yandex.Cloud:
- Create, delete, and update networks and subnets.
- Set up static routes and internal addresses.
With this role, you can't make a VM or cluster available outside of the network they belong to. Use the vpc.publicAdmin
role to manage external access permissions.
Currently, this role can only be assigned for a folder or cloud.
vpc.publicAdmin
The vpc.publicAdmin
role lets you manage external connectivity:
- Create and delete static public IP addresses.
- Enable and disable the
NAT to the internet
function.
It also includes all permissions granted by thevpc.viewer
role.
The vpc.publicAdmin
role is also required to create resources with public IP addresses, such as VMs or managed database clusters.
Currently, this role can only be assigned for a folder or cloud.
Important: if a network and subnet are in different folders, the vpc.publicAdmin
role is checked for the folder where the network is located.
vpc.securityGroups.admin
The vpc.securityGroups.admin
role is designed for managing security groups. It lets you create, update, and delete security groups, as well as rules in them.
Currently, this role can only be assigned for a folder or cloud.
vpc.admin
A network administrator role that provides full control over VPC resources. Includes the vpc.privateAdmin
, vpc.publicAdmin
, and vpc.securityGroups.admin
roles.
Currently, this role can only be assigned for a folder or cloud.