Yandex Cloud users

Users are the subjects of Yandex Cloud who perform operations on resources. Subjects can be assigned roles that define their access rights for a resource, folder, or cloud.

Subjects are not just regular Yandex Cloud users. There are three types of subjects in Yandex Cloud: normal users, service accounts, and system groups. You can assign roles to any of these subjects.

Normal user

A normal user is a user who has registered with Yandex Cloud.

The user registers with Yandex Cloud using a Yandex account.

The user can register independently with a promo code or an invite.

When a user registers with a promo code, they get their own cloud where they are assigned as the owner. When registering by an invite, the user becomes a member in the cloud they were invited to.

Service account

A service account is an account that can be used by your program to perform actions in Yandex Cloud. A service account can manage other resources via the API.

The service account is a resource: just like a virtual machine, a service account is created inside a folder. You can grant or revoke access rights to the service account for other users.

At the moment, service accounts are used to access resources of the Yandex Object Storage service. For more information, see the section How to use the API in the Object Storage documentation.

System groups

A system group is an identifier of a group of subjects.

At the moment, there is just one system group, allAuthenticatedUsers, that applies to any authenticated user. This may be any registered Yandex Cloud user or service account.

By assigning a subject the allAuthenticatedUsers role for the resource, you grant public access to the resource to anyone authenticated in Yandex Cloud, but only on such operations that are allowed by the given role.

This is useful if you want to share your resources with other Yandex Cloud users. For example, if you assign the role of compute.images.user to the allAuthenticatedUsers subject for a folder containing disk images, then anyone authenticated in Yandex Cloud can use these images to create new disks or virtual machines. To do this via the API, you just need to specify the folder ID and IAM token in the request.