Roles

A role is a set of user permissions to perform operations with Yandex.Cloud resources.

There are two types of roles:

  • Primitive roles contain permissions that apply to all types of Yandex.Cloud resources. These are the admin, editor and viewer roles.

  • Service roles contain permissions only for a specific type of resource in a particular service. The ID of a service role is specified in service.resources.role format. For example, the compute.images.user role lets you use images in Yandex Compute Cloud.

    A service role can be assigned to the resource that the role is intended for or the resource that access rights are inherited from. For example, you can assign the compute.images.user role for a folder or cloud, because images inherit permissions from them.

Currently, users are not allowed to create new roles with a custom set of permissions.

Primitive roles

viewer

The viewer role grants permission to read resources.

For example, the viewer role lets you perform the following operations:

  • View information about a resource.
  • Get a list of nested resources, such as a list of VMs in a folder.
  • View a list of operations with a resource.

editor

The editor role grants permissions to perform any operation to management the resource, except assigning roles to other users. The editor role includes all permissions granted by the viewer role.

For example, the editor role lets you perform the following operations:

  • Create a resource.
  • Update a resource.
  • Delete a resource.

admin

The admin role grants all permissions to manage the resource, including assigning roles to other users. You can assign any role except resource-manager.clouds.owner.

The admin role includes all permissions granted by the editor role.

For example, the admin role lets you perform the following operations:

  • Set access rights to the resource.
  • Change access rights to the resource.

Service roles

Resource Manager

resource-manager.clouds.member

When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.

This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

Important

To enable a user to work in the cloud through the management console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.

resource-manager.clouds.owner

Theresource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

Identity and Access Management

iam.serviceAccounts.user

The iam.serviceAccounts.user role means that the user has the right to use service accounts. This role is necessary when the user asks the service to perform operations on behalf of a service account.

For example, when creating an instance group, you specify the service account and the IAM checks whether you have permission to use it.

The following permissions are included in the iam.serviceAccounts.user role:

  • Get a list of service accounts
  • Get information about a service account
  • Use the service account to perform operations on its behalf

These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.

Compute Cloud

compute.disks.user

The compute.disks.user role includes the following permissions:

  • Get a list of disks.
  • Get information about a disk.
  • Use a disk to create new resources (images, snapshots, new disks, and virtual machines).

These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.

Note

This role is not sufficient to mark the disk as automatically deletable when creating a virtual machine. To do this, use the editor role.

Currently, this role can only be assigned for a folder or cloud.

compute.images.user

The compute.images.user role includes the following permissions:

  • Get a list of images.
  • Get information about an image.
  • Get information about the last image in the specified family.
  • Use an image to create new resources (virtual machines, disks, or other images).

These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.

Currently, this role can only be assigned for a folder or cloud.

Data Proc

mdb.dataproc.agent

The mdb.dataproc.agent role lets the service account assigned to the Data Proc cluster notify the service of the status of each host in the cluster.

This role must be assigned to the service account specified when creating the cluster.

Currently, this role can only be assigned for a folder or cloud.

Functions

serverless.functions.invoker

The serverless.functions.invoker role grants permission to run functions.

For now, a role can only be assigned for a parent resource (folder or cloud), and roles are inherited by nested resources.

To find out how to assign this role, see Managing rights to run functions.

Container Registry

container-registry.images.puller

The container-registry.images.puller role includes the following permissions:

  • Get a list of registries.
  • Get information about registries.
  • Get a list of Docker images.
  • Get information about Docker images.

Currently, this role can only be assigned for a folder or cloud.

container-registry.images.pusher

The container-registry.images.pusher role includes the following permissions:

  • Get a list of registries.
  • Get information about registries.
  • Get a list of Docker images.
  • Get information about Docker images.
  • Create Docker images.
  • Change Docker images.
  • Delete Docker images.

Currently, this role can only be assigned for a folder or cloud.