Roles

A role is a set of user permissions to perform operations with Yandex Cloud resources.

When you assign a role, you specify the assigned subject and a resource to which the role applies. The subject can be a normal user, service account, or system subject. A subject can be assigned multiple roles for the same resource. For more information, see the section Assign access rights.

There are two types of roles:

  • Common roles are the roles that can be assigned to any Yandex Cloud resources. These are the roles of admin, editor and viewer.

  • Service roles are the roles created for a specific service. The service role identifier is specified in the service.resources.role format. For example, the role of compute.images.user allows you to use images in the Yandex Compute Cloud service.

    A service role cannot be assigned for any resource. It can only be assigned to the resource the role is intended for. For example, resource-manager.clouds.member can only be assigned for a cloud.

    A service role can also be assigned for resources that access rights are inherited from. For example, compute.images.user can be assigned for a folder or cloud, because images inherit access rights from them.

Currently, users are not allowed to create new roles with a specific set of permissions.

Note

To access a resource, you may need to have multiple roles at the same time. For example, to view information about a folder in a cloud, just the viewer role is not enough — you also need the role of resource-manager.clouds.member in this cloud. Read more in the section Hierarchy of Yandex.Cloud resources in the Yandex Resource Manager documentation.

Common roles

viewer

The role of viewer grants the right to read resources.

For example, the role of viewer allows you to perform the following operations:

  • View information about a resource.
  • Get a list of resources, such as a list of virtual machines in a folder.
  • View a list of operations with the resource.

editor

The role of editor grants access rights to all operations relating to resource management, except for assigning roles to other users. The role of editor includes all access rights granted by the role of viewer.

For example, the role of editor allows you to perform the following operations:

  • Create a resource.
  • Update a resource.
  • Delete a resource.

admin

The role of admin grants full access rights to manage the resource, including assigning roles to other users. You can assign any roles except resource-manager.clouds.owner.

The role of admin includes all access rights granted by the role of editor.

For example, the role of admin allows you to perform the following operations:

  • Set access rights to the resource.
  • Change access rights to the resource.

Service roles

Yandex Resource Manager

resource-manager.clouds.member

When a new user is added to the cloud, they are automatically assigned the role of a cloud member: resource-manager.clouds.member.

This role is necessary for accessing cloud resources to everyone except the owners of the cloud and system group allAuthenticatedUsers.

This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

Important

To enable a user to work in the cloud through the Management Console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.

resource-manager.clouds.owner

Role resource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operations with the cloud and the resources in it.

Only the cloud owner can assign to or remove from the users the role resource-manager.clouds.owner.

The cloud must have at least one owner. The only owner of the cloud cannot remove this role from oneself.

Yandex Compute Cloud

compute.images.user

Role compute.images.user applies to images only. A user with the role compute.images.user can use the appropriate image when creating new disks, VM instances, and other images.

Role compute.images.user can only be assigned for a folder or cloud. Currently, you cannot assign this role for an image itself.

The role compute.images.user includes the following permissions:

  • To get a list of images.
  • To get information about an image.
  • To get information about the last image in the specified family.
  • To use the image when creating new resources.