Roles
A role is a set of user permissions to perform operations with Yandex.Cloud resources.
There are two types of roles:
-
Primitive roles contain permissions that apply to all types of Yandex.Cloud resources. These are the
admin,editorandviewerroles. -
Service roles contain permissions only for a specific type of resource in a particular service. The ID of a service role is specified in
service.resources.roleformat. For example, thecompute.images.userrole lets you use images in Yandex Compute Cloud.A service role can be assigned to the resource that the role is intended for or the resource that access rights are inherited from. For example, you can assign the
compute.images.userrole for a folder or cloud, because images inherit permissions from them.
Currently, users are not allowed to create new roles with a custom set of permissions.
Primitive roles
viewer
The viewer role grants permission to read resources.
For example, the viewer role lets you perform the following operations:
- View information about a resource.
- Get a list of nested resources, such as a list of VMs in a folder.
- View a list of operations with a resource.
editor
The editor role grants permissions to perform any operation to management the resource, except assigning roles to other users. The editor role includes all permissions granted by the viewer role.
For example, the editor role lets you perform the following operations:
- Create a resource.
- Update a resource.
- Delete a resource.
admin
The admin role grants all permissions to manage the resource, including assigning roles to other users. You can assign any role except resource-manager.clouds.owner.
The admin role includes all permissions granted by the editor role.
For example, the admin role lets you perform the following operations:
- Set access rights to the resource.
- Change access rights to the resource.
Service roles
Resource Manager
resource-manager.clouds.member
When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.
Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.
This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.
Important
To enable a user to work in the cloud through the management console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.
resource-manager.clouds.owner
Theresource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.
Only the cloud owner can assign users the resource-manager.clouds.owner role.
A cloud must have at least one owner. The sole owner of a cloud may not give up this role.
Identity and Access Management
iam.serviceAccounts.user
The iam.serviceAccounts.user role means that the user has the right to use service accounts.
This role is necessary when the user asks the service to perform operations on behalf of a service account.
For example, when creating an instance group, you specify the service account and the IAM checks whether you have permission to use it.
The following permissions are included in the iam.serviceAccounts.user role:
- Get a list of service accounts
- Get information about a service account
- Use the service account to perform operations on its behalf
These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.
Compute Cloud
compute.disks.user
The compute.disks.user role includes the following permissions:
- Get a list of disks.
- Get information about a disk.
- Use a disk to create new resources (images, snapshots, new disks, and virtual machines).
These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.
Note
This role is not sufficient to mark the disk as automatically deletable when creating a virtual machine. To do this, use the editor role.
Currently, this role can only be assigned for a folder or cloud.
compute.images.user
The compute.images.user role includes the following permissions:
- Get a list of images.
- Get information about an image.
- Get information about the last image in the specified family.
- Use an image to create new resources (virtual machines, disks, or other images).
These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.
Currently, this role can only be assigned for a folder or cloud.
Data Proc
mdb.dataproc.agent
The mdb.dataproc.agent role lets the service account assigned to the Data Proc cluster notify the service of the status of each host in the cluster.
This role must be assigned to the service account specified when creating the cluster.
Currently, this role can only be assigned for a folder or cloud.
Functions
serverless.functions.invoker
The serverless.functions.invoker role grants permission to run functions.
For now, a role can only be assigned for a parent resource (folder or cloud), and roles are inherited by nested resources.
To find out how to assign this role, see Managing rights to run functions.
Container Registry
container-registry.images.puller
The container-registry.images.puller role includes the following permissions:
- Get a list of registries.
- Get information about registries.
- Get a list of Docker images.
- Get information about Docker images.
Currently, this role can only be assigned for a folder or cloud.
container-registry.images.pusher
The container-registry.images.pusher role includes the following permissions:
- Get a list of registries.
- Get information about registries.
- Get a list of Docker images.
- Get information about Docker images.
- Create Docker images.
- Change Docker images.
- Delete Docker images.
Currently, this role can only be assigned for a folder or cloud.