Get started
Yandex Identity and Access Management

Roles

A role is a set of user permissions to perform operations with Yandex.Cloud resources.

There are two types of roles:

  • Primitive roles contain permissions that apply to all types of Yandex.Cloud resources. These are roles like admin, editor, and viewer.

  • Service roles contain permissions only for a specific type of resource in a particular service. Service role ID is specified in service.resources.role format. For example, the compute.images.user role lets you use images in Yandex Compute Cloud.

    A service role can be assigned to the resource that the role is intended for or the resource that permissions are inherited from. For example, you can assign the compute.images.user role for a folder or cloud, because images inherit permissions from them.

Currently, users aren't allowed to create new roles with a custom set of permissions.

Primitive roles

viewer

The viewer role grants permission to read resources.

For example, the viewer role lets you perform the following operations:

  • View information about a resource.
  • Get a list of nested resources, such as a list of VMs in a folder.
  • View a list of operations with a resource.

editor

The editor role grants permissions to perform any operation related to resource management, except assigning roles to other users. The editor role includes all permissions granted by the viewer role.

For example, the editor role lets you perform the following operations:

  • Create a resource.
  • Update a resource.
  • Delete a resource.

admin

The admin role grants all permissions to manage the resource, including assigning roles to other users. You can assign any role except resource-manager.clouds.owner.

The admin role includes all permissions granted by the editor role.

For example, the admin role lets you perform the following operations:

  • Set permissions to the resource.
  • Change permissions to the resource.

Certificate Manager

certificate-manager.admin

Use the certificate-manager.admin role to manage your certificates and access to them.

certificate-manager.certificates.downloader

The certificate-manager.certificates.downloader role lets you get the contents of a certificate: a chain and a private key.

Compute Cloud

compute.admin

The compute.admin role includes the following permissions:

Currently, this role can only be assigned for a folder or cloud.

compute.disks.user

The compute.disks.user role includes the following permissions:

  • Get a list of disks.
  • Get information about a disk.
  • Use a disk to create new resources (images, snapshots, new disks, and virtual machines).

These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.

Note

This role is not sufficient to mark the disk as automatically deletable when creating a virtual machine. To do this, use the editor role.

Currently, this role can only be assigned for a folder or cloud.

compute.images.user

The compute.images.user role includes the following permissions:

  • Get a list of images.
  • Get information about an image.
  • Get information about the last image in the specified family.
  • Use an image to create new resources (virtual machines, disks, or other images).

These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.

Currently, this role can only be assigned for a folder or cloud.

Container Registry

container-registry.admin

The container-registry.admin role includes the following permissions:

Currently, this role can only be assigned for a folder or cloud.

container-registry.images.puller

The container-registry.images.puller role includes the following permissions:

  • Get a list of registries.
  • Get information about registries.
  • Get a list of Docker images.
  • Get information about Docker images.

Currently, this role can only be assigned for a folder or cloud.

container-registry.images.pusher

The container-registry.images.pusher role includes the following permissions:

Currently, this role can only be assigned for a folder or cloud.

Data Proc

dataproc.agent

The dataproc.agent role allows the service account assigned to the Data Proc cluster to notify the service of the status of each host in the cluster.

This role must be assigned to the service account specified when creating the cluster.

Currently, this role can only be assigned for a folder or cloud.

mdb.dataproc.agent

Warning

The mdb.dataproc.agent role will soon be discontinued. Users with this role will automatically be assigned the dataproc.agent role with the same rights.

An obsolete role granting the same rights as dataproc.agent. We don't recommend using it.

Currently, this role can only be assigned for a folder or cloud.

DataLens

datalens.instances.user

The datalens.instances.user role provides access to DataLens.

After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
For more information about managing access to DataLens, see Managing access to DataLens.

Currently, this role can only be assigned for a folder or cloud.

datalens.instances.admin

The datalens.instances.admin role provides access to DataLens.

The role is automatically assigned to the DataLens instance creator. The administrator has datalens.instances.user permissions and can also change the pricing plan and purchase paid content in the Cloud Marketplace.

After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
For more information about managing access to DataLens, see Managing access to DataLens.

Currently, this role can only be assigned for a folder or cloud.

DataSphere

datasphere.user

The datasphere.user role lets the user view the list of projects and work with existing projects. The user can't create or delete projects.

datasphere.admin

The datasphere.admin role lets the user create, edit, and delete projects in DataSphere, as well as view the list of cloud folders.

The datasphere.admin role also includes all datasphere.user role permissions.

Functions

serverless.functions.invoker

The serverless.functions.invoker role grants permission to run functions.

For now, a role can only be assigned for a parent resource (folder or cloud), and roles are inherited by nested resources.

To find out how to assign this role, see Managing rights to access functions.

Identity and Access Management

iam.serviceAccounts.user

The iam.serviceAccounts.user role means that the user has the right to use service accounts.
This role is necessary when the user asks the service to perform operations on behalf of a service account.

For example, when creating an instance group, you specify the service account and the IAM checks whether you have permission to use it.

The following permissions are included in the iam.serviceAccounts.user role:

  • Get a list of service accounts
  • Get information about a service account
  • Use the service account to perform operations on its behalf

These permissions are also included in the editor, admin, and resource-manager.cloud.owner roles.

Yandex IoT Core

iot.devices.writer

Users with the iot.devices.writer role can send gRPC messages to Yandex IoT Core on behalf of devices.

iot.registries.writer

Users with the iot.registries.writer role can send gRPC messages to Yandex IoT Core on behalf of registries.

Network Load Balancer

load-balancer.viewer

The load-balancer.viewer role lets you view resource model objects:

Currently, this role can only be assigned for a folder or cloud.

load-balancer.privateAdmin

The load-balancer.privateAdmin role lets you create, update, and delete load balancers and target groups. However, this role doesn't let you make a load balancer available from the internet. For this, you need the load-balancer.admin role.

Currently, this role can only be assigned for a folder or cloud.

load-balancer.admin

The load-balancer.admin role lets you:

Note

If you have both the load-balancer.admin role and the create VM permission, you can create VMs with public IPs. If this is not what you want, use the load-balancer.privateAdmin role.

Currently, this role can only be assigned for a folder or cloud.

Object Storage

storage.admin

The storage.admin role is intended for managing Object Storage. Users with this role can:

  • Create buckets.
  • Delete buckets.
  • Assign an access control list (ACL).
  • Manage any bucket object.
  • Manage any bucket website.
  • Configure other bucket parameters and objects in the bucket.

This role can grant other users access to a bucket or a specific object in it.

This role can be assigned by the administrator of the cloud (the admin role).

storage.configurer

Users with the storage.configurer role can manage the settings of object lifecycles, static website hosting, and CORS.

They do not have permission to manage access control list (ACL) or public access settings. They do not have access to bucket data.

storage.editor

Users with the storage.editor role can perform any operation with buckets and objects in the folder: create (including a publicly accessible bucket), delete, and edit them.

This role doesn't let you manage access control list (ACL) settings.

storage.uploader

Users with the storage.uploader role can upload objects to a bucket and overwrite previously uploaded ones.

This role doesn't let you delete objects or configure buckets.

storage.viewer

The storage.viewer role gives you read access to the list of buckets, settings, and data.

Resource Manager

resource-manager.clouds.member

When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.

This role alone doesn't give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

resource-manager.clouds.owner

Theresource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

Virtual Private Cloud

vpc.viewer

The vpc.viewer role lets you view resource model objects:

Currently, this role can only be assigned for a folder or cloud.

vpc.user

The vpc.user role lets you connect to VPC network resources and use them. It includes all permissions of the vpc.viewer role and permission to:

Currently, this role can only be assigned for a folder or cloud.

vpc.privateAdmin

The vpc.privateAdmin role lets you manage connectivity between VMs and managed database clusters within Yandex.Cloud:

With this role, you can't make a VM or cluster available outside of the network they belong to. Use the vpc.publicAdmin role to manage external access permissions.

Currently, this role can only be assigned for a folder or cloud.

vpc.publicAdmin

The vpc.publicAdmin role lets you manage external connectivity:

  • Create and delete static public IP addresses.
  • Enable and disable the NAT to the internet function.
    It also includes all permissions granted by the vpc.viewer role.

The vpc.publicAdmin role is also required to create resources with public IP addresses, such as VMs or managed database clusters.

Currently, this role can only be assigned for a folder or cloud.

Important: if a network and subnet are in different folders, the vpc.publicAdmin role is checked for the folder where the network is located.

vpc.securityGroups.admin

The vpc.securityGroups.admin role is designed for managing security groups. It lets you create, update, and delete security groups, as well as rules in them.

Currently, this role can only be assigned for a folder or cloud.

vpc.admin

A network administrator role that provides full control over VPC resources. Includes the vpc.privateAdmin, vpc.publicAdmin, and vpc.securityGroups.admin roles.

Currently, this role can only be assigned for a folder or cloud.

In this article: