Roles

A role is a set of user permissions to perform operations with Yandex.Cloud resources.

There are two types of roles:

• Primitive roles contain permissions that apply to all types of Yandex.Cloud resources. These are roles like admin, editor, and viewer.

• Service roles contain permissions only for a specific type of resource in a particular service. Service role ID is specified in service.resources.role format. For example, the compute.images.user role lets you use images in Yandex Compute Cloud.

  A service role can be assigned to the resource that the role is intended for or the resource that permissions are inherited from. For example, you can assign the compute.images.user role for a folder or cloud, because images inherit permissions from them.

Currently, users aren't allowed to create new roles with a custom set of permissions.

Primitive roles

viewer

The viewer role grants permission to read resources.

For example, the viewer role lets you perform the following operations:

• View information about a resource.
• Get a list of nested resources, such as a list of VMs in a folder.
• View a list of operations with a resource.

editor

The editor role grants permissions to perform any operation related to resource management, except assigning roles to other users. The editor role includes all permissions granted by the viewer role.

For example, the editor role lets you perform the following operations:

• Create a resource.
• Update a resource.
• Delete a resource.

admin

The admin role grants all permissions to manage the resource, including assigning roles to other users. You can assign any role except resource-manager.clouds.owner.

The admin role includes all permissions granted by the editor role.

For example, the admin role lets you perform the following operations:

• Set permissions to the resource.
• Change permissions to the resource.

Certificate Manager

certificate-manager.admin

Use the certificate-manager.admin role to manage your certificates and access to them.

certificate-manager.certificates.downloader

The certificate-manager.certificates.downloader role lets you get the contents of a certificate: a chain and a private key.

Compute Cloud

compute.admin

The compute.admin role includes the following permissions:

• Create and edit virtual machines.
• Create and edit disks and disk snapshots.
• Create and edit images.
• Manage instance groups.
• Use network resources on virtual machines and instance groups (connect to subnets and use security groups).

Currently, this role can only be assigned for a folder or cloud.

compute.disks.user

The compute.disks.user role includes the following permissions:

• Get a list of disks.
• Get information about a disk.
• Use a disk to create new resources (images, snapshots, new disks, and virtual machines).

These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.

Currently, this role can only be assigned for a folder or cloud.

compute.images.user

The compute.images.user role includes the following permissions:

• Get a list of images.
• Get information about an image.
• Get information about the last image in the specified family.
• Use an image to create new resources (virtual machines, disks, or other images).

These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.

Currently, this role can only be assigned for a folder or cloud.

Container Registry

container-registry.admin

The container-registry.admin role includes the following permissions:

• Create registries.
• Update registries.
• Delete registries.

Currently, this role can only be assigned for a folder or cloud.

container-registry.images.puller

The container-registry.images.puller role includes the following permissions:

• Get a list of registries.
• Get information about registries.
• Get a list of Docker images.
• Get information about Docker images.

Currently, this role can only be assigned for a folder or cloud.

container-registry.images.pusher

The container-registry.images.pusher role includes the following permissions:

• Get a list of registries.
• Get information about registries.
• Get a list of Docker images.
• Get information about Docker images.
• Create Docker images.
• Change Docker images.
• Delete Docker images.

Currently, this role can only be assigned for a folder or cloud.

Data Proc

mdb.dataproc.agent

The mdb.dataproc.agent role lets the service account assigned to the Data Proc cluster notify the service of the status of each host in the cluster.

This role must be assigned to the service account specified when creating the cluster.

Currently, this role can only be assigned for a folder or cloud.

DataLens

datalens.instances.user

The datalens.instances.user role provides access to DataLens.

After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
For more information about managing access to DataLens, see Managing access to DataLens.

Currently, this role can only be assigned for a folder or cloud.

datalens.instances.admin

The datalens.instances.admin role provides access to DataLens.

The role is automatically assigned to the DataLens instance creator. The administrator has datalens.instances.user permissions and can also change the pricing plan and purchase paid content in the Cloud Marketplace.

After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
For more information about managing access to DataLens, see Managing access to DataLens.

Currently, this role can only be assigned for a folder or cloud.

DataSphere

datasphere.user

The datasphere.user role lets the user view the list of projects and work with existing projects. The user can't create or delete projects.

datasphere.admin

The datasphere.admin role lets the user create, edit, and delete projects in DataSphere, as well as view the list of cloud folders.

The datasphere.admin role also includes all datasphere.user role permissions.

Functions

serverless.functions.invoker

The serverless.functions.invoker role grants permission to run functions.

For now, a role can only be assigned for a parent resource (folder or cloud), and roles are inherited by nested resources.

To find out how to assign this role, see Managing rights to access functions.

Identity and Access Management

iam.serviceAccounts.user

The iam.serviceAccounts.user role means that the user has the right to use service accounts.
This role is necessary when the user asks the service to perform operations on behalf of a service account.

For example, when creating an instance group, you specify the service account and the IAM checks whether you have permission to use it.

The following permissions are included in the iam.serviceAccounts.user role:

• Get a list of service accounts
• Get information about a service account
• Use the service account to perform operations on its behalf

These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.

Load Balancer

load-balancer.viewer

The load-balancer.viewer role lets you view resource model objects:

• Load balancers.
• Target groups.

Currently, this role can only be assigned for a folder or cloud.

load-balancer.privateAdmin

The load-balancer.privateAdmin role lets you create, update, and delete load balancers and target groups. However, this role doesn't let you make a load balancer available from the internet. For this, you need the load-balancer.admin role.

Currently, this role can only be assigned for a folder or cloud.

load-balancer.admin

The load-balancer.admin role lets you:

• Create, update, and delete load balancers and target groups.
• Assign a public IP address to a load balancer.

Currently, this role can only be assigned for a folder or cloud.

Object Storage

storage.admin

The storage.admin role is intended for managing Object Storage. Users with this role can:

• Create buckets.
• Delete buckets.
• Assign an access control list (ACL).
• Manage any bucket object.
• Manage any bucket website.
• Configure other bucket parameters and objects in the bucket.

This role can grant other users access to a bucket or a specific object in it.

This role can be assigned by the administrator of the cloud (the admin role).

storage.configurer

Users with the storage.configurer role can manage the settings of object lifecycles, static website hosting, and CORS.

They do not have permission to manage access control list (ACL) or public access settings. They do not have access to bucket data.

storage.editor

Users with the storage.editor role can perform any operation with buckets and objects in the folder: create (including a publicly accessible bucket), delete, and edit them.

This role doesn't let you manage access control list (ACL) settings.

storage.uploader

Users with the storage.uploader role can upload objects to a bucket and overwrite previously uploaded ones.

This role doesn't let you delete objects or configure buckets.

storage.viewer

The storage.viewer role gives you read access to the list of buckets, settings, and data.

Resource Manager

resource-manager.clouds.member

When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.

This role alone doesn't give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

resource-manager.clouds.owner

Theresource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

Virtual Private Cloud

vpc.viewer

The vpc.viewer role lets you view resource model objects:

• Networks and subnets.
• Static route tables.
• Addresses.
• Security groups.

Currently, this role can only be assigned for a folder or cloud.

vpc.user

The vpc.user role lets you connect to VPC network resources and use them. It includes all permissions of the vpc.viewer role and permission to:

• Use networks and subnets.
• Use static routes.
• Assign static addresses to VMs.
• Assign security groups to VM network interfaces.

Currently, this role can only be assigned for a folder or cloud.

vpc.privateAdmin

The vpc.privateAdmin role lets you manage connectivity between VMs and managed database clusters within Yandex.Cloud:

• Create, delete, and update networks and subnets.
• Set up static routes and internal addresses.

With this role, you can't make a VM or cluster available outside of the network they belong to. Use the vpc.publicAdmin role to manage external access permissions.

Currently, this role can only be assigned for a folder or cloud.

vpc.publicAdmin

The vpc.publicAdmin role lets you manage external connectivity:

• Create static public IP addresses.
• Enable and disable the NAT to the internet function.

The vpc.publicAdmin role is also required to create resources with public IP addresses, such as VMs or managed database clusters.

Currently, this role can only be assigned for a folder or cloud.

vpc.securityGroups.admin

The vpc.securityGroups.admin role is designed for managing security groups. It lets you create, update, and delete security groups, as well as rules in them.

Currently, this role can only be assigned for a folder or cloud.

vpc.admin

A network administrator role that provides full control over VPC resources. Includes the vpc.privateAdmin, vpc.publicAdmin, and vpc.securityGroups.admin roles.

Currently, this role can only be assigned for a folder or cloud.