Roles
A role is a set of user permissions to perform operations with Yandex.Cloud resources.
There are two types of roles:
-
Primitive roles contain permissions that apply to all types of Yandex.Cloud resources. These are the roles of
admin,editorandviewer. -
Service roles contain permissions only for a specific type of resource in a particular service. The ID of a service role is specified in
service.resources.roleformat. For example, the role ofcompute.images.userallows you to use images in the Yandex Compute Cloud service.A service role can be assigned to the resource that the role is intended for or the resource that access rights are inherited from. For example, the role of
compute.images.usercan be assigned for a folder or cloud, because images inherit permissions from them.
Currently, users are not allowed to create new roles with a custom set of permissions.
Primitive roles
viewer
The role of viewer grants permissions to read resources.
For example, the role of viewer allows you to perform the following operations:
- View information about a resource.
- Get a list of nested resources, such as a list of VMs in a folder.
- View a list of operations with a resource.
editor
The role of editor grants permissions to all operations relating to resource management, except for assigning roles to other users. The role of editor includes all permissions granted by the role of viewer.
For example, the role of editor allows you to perform the following operations:
- Create a resource.
- Update a resource.
- Delete a resource.
admin
The role of admin grants all permissions to manage the resource, including assigning roles to other users. You can assign any roles except resource-manager.clouds.owner.
The role of admin includes all permissions granted by the role of editor.
For example, the role of admin allows you to perform the following operations:
- Set access rights to the resource.
- Change access rights to the resource.
Service roles
Yandex Resource Manager
resource-manager.clouds.member
When a new user is added to the cloud, they are automatically assigned the role of a cloud member: resource-manager.clouds.member.
This role must be assigned to everyone who needs to access cloud resources, except the owners of the cloud, service accounts, and system group allAuthenticatedUsers.
This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.
Important
To enable a user to work in the cloud through the management console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.
resource-manager.clouds.owner
The role of resource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operations with the cloud and its resources.
Only the cloud owner can assign to or remove from the users the role resource-manager.clouds.owner.
A cloud must have at least one owner. The sole owner of a cloud may not give up this role.
Yandex Compute Cloud
compute.disks.user
The compute.disks.user role includes the following permissions:
- Get a list of disks.
- Get information about a disk.
- Use a disk to create new resources (images, snapshots, new disks, and virtual machines).
Note
This role is not sufficient to mark the disk as automatically deletable when creating a virtual machine. To do this, use the editor role.
Currently, this role can only be assigned to a folder or cloud.
compute.images.user
The compute.images.user role includes the following permissions:
- Get a list of images.
- Get information about an image.
- Get information about the last image in the specified family.
- Use an image for creating new resources (virtual machines, disks, or other images).
Currently, this role can only be assigned to a folder or cloud.