Yandex Cloud users
Subjects are not just regular Yandex Cloud users. There are three types of subjects in Yandex Cloud: normal users, service accounts, and system groups. You can assign roles to any of these subjects.
A normal user is a user who has registered with Yandex Cloud.
The user registers with Yandex Cloud using a Yandex account.
The user can register independently with a promo code or an invite.
A service account is an account that can be used by your program to perform actions in Yandex Cloud. A service account can manage other resources via the API.
The service account is a resource: just like a virtual machine, a service account is created inside a folder. You can grant or revoke access rights to the service account for other users.
At the moment, service accounts are used to access resources of the Yandex Object Storage service. For more information, see the section How to use the API in the Object Storage documentation.
A system group is an identifier of a group of subjects.
At the moment, there is just one system group,
allAuthenticatedUsers, that applies to any authenticated user. This may be any registered Yandex Cloud user or service account.
By assigning a subject the
allAuthenticatedUsers role for the resource, you grant public access to the resource to anyone authenticated in Yandex Cloud, but only on such operations that are allowed by the given role.
This is useful if you want to share your resources with other Yandex Cloud users. For example, if you assign the role of
compute.images.user to the
allAuthenticatedUsers subject for a folder containing disk images, then anyone authenticated in Yandex Cloud can use these images to create new disks or virtual machines. To do this via the API, you just need to specify the folder ID and IAM token in the request.