Get started
Log in
Yandex Identity and Access Management

Roles

A role is a set of user permissions to perform operations with Yandex.Cloud resources.

There are two types of roles:

  • Primitive roles contain permissions that apply to all types of Yandex.Cloud resources. These are the roles of admin, editor and viewer.

  • Service roles contain permissions only for a specific type of resource in a particular service. The ID of a service role is specified in service.resources.role format. For example, the role of compute.images.user allows you to use images in the Yandex Compute Cloud service.

    A service role can be assigned to the resource that the role is intended for or the resource that access rights are inherited from. For example, the role of compute.images.user can be assigned for a folder or cloud, because images inherit permissions from them.

Currently, users are not allowed to create new roles with a custom set of permissions.

Primitive roles

viewer

The role of viewer grants permissions to read resources.

For example, the role of viewer allows you to perform the following operations:

  • View information about a resource.
  • Get a list of nested resources, such as a list of VMs in a folder.
  • View a list of operations with a resource.

editor

The role of editor grants permissions to all operations relating to resource management, except for assigning roles to other users. The role of editor includes all permissions granted by the role of viewer.

For example, the role of editor allows you to perform the following operations:

  • Create a resource.
  • Update a resource.
  • Delete a resource.

admin

The role of admin grants all permissions to manage the resource, including assigning roles to other users. You can assign any roles except resource-manager.clouds.owner.

The role of admin includes all permissions granted by the role of editor.

For example, the role of admin allows you to perform the following operations:

  • Set access rights to the resource.
  • Change access rights to the resource.

Service roles

Resource Manager

resource-manager.clouds.member

When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

This role must be assigned to everyone who needs to access cloud resources, except the owners of the cloud, service accounts, and system group allAuthenticatedUsers.

This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

Important

To enable a user to work in the cloud through the management console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.

resource-manager.clouds.owner

The role of resource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role or remove it from them.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

Identity and Access Management

iam.serviceAccounts.user

The iam.serviceAccounts.user role means that the user has the right to use service accounts. This role is necessary when the user asks the service to perform operations on behalf of a service account.

For example, when creating a group of virtual machines, you specify the service account and the IAM checks that you have permission to use this account.

The following permissions are included in the iam.serviceAccounts.user role:

  • Get a list of service accounts
  • Get information about a service account
  • Use the service account to perform operations on its behalf

These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.

Compute Cloud

compute.disks.user

The compute.disks.user role includes the following permissions:

  • Get a list of disks.
  • Get information about a disk.
  • Use a disk to create new resources (images, snapshots, new disks, and VMs).

These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.

Note

This role is not sufficient to mark the disk as automatically deletable when creating a VM. To do this, use the editor role.

Currently, this role can only be assigned to a folder or cloud.

compute.images.user

The compute.images.user role includes the following permissions:

  • Get a list of images.
  • Get information about an image.
  • Get information about the last image in the specified family.
  • Use an image for creating new resources (virtual machines, disks, or other images).

Currently, this role can only be assigned to a folder or cloud.