Get started
Yandex Identity and Access Management

ServiceAccountService

A set of methods for managing ServiceAccount resources.

Call Description
Get Returns the specified ServiceAccount resource.
List Retrieves the list of ServiceAccount resources in the specified folder.
Create Creates a service account in the specified folder.
Update Updates the specified service account.
Delete Deletes the specified service account.
ListAccessBindings access Lists access bindings for the specified service account.
SetAccessBindings Sets access bindings for the service account.
UpdateAccessBindings Updates access bindings for the specified service account.
ListOperations Lists operations for the specified service account.

Calls ServiceAccountService

Get

Returns the specified ServiceAccount resource.
To get the list of available ServiceAccount resources, make a List request.

rpc Get (GetServiceAccountRequest) returns (ServiceAccount)

GetServiceAccountRequest

Field Description
service_account_id string
Required. ID of the ServiceAccount resource to return. To get the service account ID, use a ServiceAccountService.List request. The maximum string length in characters is 50.

ServiceAccount

Field Description
id string
ID of the service account.
folder_id string
ID of the folder that the service account belongs to.
created_at google.protobuf.Timestamp
Creation timestamp.
name string
Name of the service account. The name is unique within the cloud. 3-63 characters long.
description string
Description of the service account. 0-256 characters long.

List

Retrieves the list of ServiceAccount resources in the specified folder.

rpc List (ListServiceAccountsRequest) returns (ListServiceAccountsResponse)

ListServiceAccountsRequest

Field Description
folder_id string
Required. ID of the folder to list service accounts in. To get the folder ID, use a yandex.cloud.resourcemanager.v1.FolderService.List request. The maximum string length in characters is 50.
page_size int64
The maximum number of results per page to return. If the number of available results is larger than page_size, the service returns a ListServiceAccountsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100 The maximum value is 1000.
page_token string
Page token. To get the next page of results, set page_token to the ListServiceAccountsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.
filter string
  1. The field name. Currently you can use filtering only on the ServiceAccount.name field.
  2. An operator. Can be either = or != for single values, IN or NOT IN for lists of values.
  3. The value. Must be 3-63 characters long and match the regular expression ^[a-z][-a-z0-9]{1,61}[a-z0-9]$.
The maximum string length in characters is 1000.

ListServiceAccountsResponse

Field Description
service_accounts[] ServiceAccount
List of ServiceAccount resources.
next_page_token string
This token allows you to get the next page of results for list requests. If the number of results is larger than ListServiceAccountsRequest.page_size, use the next_page_token as the value for the ListServiceAccountsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

ServiceAccount

Field Description
id string
ID of the service account.
folder_id string
ID of the folder that the service account belongs to.
created_at google.protobuf.Timestamp
Creation timestamp.
name string
Name of the service account. The name is unique within the cloud. 3-63 characters long.
description string
Description of the service account. 0-256 characters long.

Create

Creates a service account in the specified folder.

rpc Create (CreateServiceAccountRequest) returns (operation.Operation)

Metadata and response of Operation:

    Operation.metadata:CreateServiceAccountMetadata

    Operation.response:ServiceAccount

CreateServiceAccountRequest

Field Description
folder_id string
Required. ID of the folder to create a service account in. To get the folder ID, use a yandex.cloud.resourcemanager.v1.FolderService.List request. The maximum string length in characters is 50.
name string
Required. Name of the service account. The name must be unique within the cloud. Value must match the regular expression |[a-z][-a-z0-9]{1,61}[a-z0-9].
description string
Description of the service account. The maximum string length in characters is 256.

Operation

Field Description
id string
ID of the operation.
description string
Description of the operation. 0-256 characters long.
created_at google.protobuf.Timestamp
Creation timestamp.
created_by string
ID of the user or service account who initiated the operation.
modified_at google.protobuf.Timestamp
The time when the Operation resource was last modified.
done bool
If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
metadata google.protobuf.Any<CreateServiceAccountMetadata>
Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result oneof: error or response
The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
  error google.rpc.Status
The error result of the operation in case of failure or cancellation.
  response google.protobuf.Any<ServiceAccount>
if operation finished successfully.

CreateServiceAccountMetadata

Field Description
service_account_id string
ID of the service account that is being created.

ServiceAccount

Field Description
id string
ID of the service account.
folder_id string
ID of the folder that the service account belongs to.
created_at google.protobuf.Timestamp
Creation timestamp.
name string
Name of the service account. The name is unique within the cloud. 3-63 characters long.
description string
Description of the service account. 0-256 characters long.

Update

Updates the specified service account.

rpc Update (UpdateServiceAccountRequest) returns (operation.Operation)

Metadata and response of Operation:

    Operation.metadata:UpdateServiceAccountMetadata

    Operation.response:ServiceAccount

UpdateServiceAccountRequest

Field Description
service_account_id string
Required. ID of the ServiceAccount resource to update. To get the service account ID, use a ServiceAccountService.List request. The maximum string length in characters is 50.
update_mask google.protobuf.FieldMask
Field mask that specifies which fields of the ServiceAccount resource are going to be updated.
name string
Required. Name of the service account. The name must be unique within the cloud. Value must match the regular expression |[a-z][-a-z0-9]{1,61}[a-z0-9].
description string
Description of the service account. The maximum string length in characters is 256.

Operation

Field Description
id string
ID of the operation.
description string
Description of the operation. 0-256 characters long.
created_at google.protobuf.Timestamp
Creation timestamp.
created_by string
ID of the user or service account who initiated the operation.
modified_at google.protobuf.Timestamp
The time when the Operation resource was last modified.
done bool
If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
metadata google.protobuf.Any<UpdateServiceAccountMetadata>
Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result oneof: error or response
The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
  error google.rpc.Status
The error result of the operation in case of failure or cancellation.
  response google.protobuf.Any<ServiceAccount>
if operation finished successfully.

UpdateServiceAccountMetadata

Field Description
service_account_id string
ID of the ServiceAccount resource that is being updated.

ServiceAccount

Field Description
id string
ID of the service account.
folder_id string
ID of the folder that the service account belongs to.
created_at google.protobuf.Timestamp
Creation timestamp.
name string
Name of the service account. The name is unique within the cloud. 3-63 characters long.
description string
Description of the service account. 0-256 characters long.

Delete

Deletes the specified service account.

rpc Delete (DeleteServiceAccountRequest) returns (operation.Operation)

Metadata and response of Operation:

    Operation.metadata:DeleteServiceAccountMetadata

    Operation.response:google.protobuf.Empty

DeleteServiceAccountRequest

Field Description
service_account_id string
Required. ID of the service account to delete. To get the service account ID, use a ServiceAccountService.List request. The maximum string length in characters is 50.

Operation

Field Description
id string
ID of the operation.
description string
Description of the operation. 0-256 characters long.
created_at google.protobuf.Timestamp
Creation timestamp.
created_by string
ID of the user or service account who initiated the operation.
modified_at google.protobuf.Timestamp
The time when the Operation resource was last modified.
done bool
If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
metadata google.protobuf.Any<DeleteServiceAccountMetadata>
Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result oneof: error or response
The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
  error google.rpc.Status
The error result of the operation in case of failure or cancellation.
  response google.protobuf.Any<google.protobuf.Empty>
if operation finished successfully.

DeleteServiceAccountMetadata

Field Description
service_account_id string
ID of the service account that is being deleted.

ListAccessBindings

access Lists access bindings for the specified service account.

rpc ListAccessBindings (ListAccessBindingsRequest) returns (ListAccessBindingsResponse)

ListAccessBindingsRequest

Field Description
resource_id string
Required. ID of the resource to list access bindings for.
To get the resource ID, use a corresponding List request. For example, use the yandex.cloud.resourcemanager.v1.CloudService.List request to get the Cloud resource ID. The maximum string length in characters is 50.
page_size int64
The maximum number of results per page that should be returned. If the number of available results is larger than page_size, the service returns a ListAccessBindingsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
page_token string
Page token. Set page_token to the ListAccessBindingsResponse.next_page_token returned by a previous list request to get the next page of results. The maximum string length in characters is 100.

ListAccessBindingsResponse

Field Description
access_bindings[] AccessBinding
List of access bindings for the specified resource.
next_page_token string
This token allows you to get the next page of results for list requests. If the number of results is larger than ListAccessBindingsRequest.page_size, use the next_page_token as the value for the ListAccessBindingsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

AccessBinding

Field Description
role_id string
Required. ID of the yandex.cloud.iam.v1.Role that is assigned to the subject. The maximum string length in characters is 50.
subject Subject
Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier.

Subject

Field Description
id string
Required.
  • allAuthenticatedUsers: A special system identifier that represents anyone
  • allUsers: A special system identifier that represents anyone. No authentication is required.
  • <cloud generated id>: An identifier that represents a user account.
The maximum string length in characters is 50.
type string
Required.
  • userAccount: An account on Yandex or Yandex.Connect, added to Yandex.Cloud.
  • serviceAccount: A service account. This type represents the yandex.cloud.iam.v1.ServiceAccount resource.
  • federatedUser: A federated account. This type represents a user from an identity federation, like Active Directory.
  • system: System group. This type represents several accounts with a common system identifier.
The maximum string length in characters is 100.

SetAccessBindings

Sets access bindings for the service account.

rpc SetAccessBindings (SetAccessBindingsRequest) returns (operation.Operation)

Metadata and response of Operation:

    Operation.metadata:SetAccessBindingsMetadata

    Operation.response:google.protobuf.Empty

SetAccessBindingsRequest

Field Description
resource_id string
Required. ID of the resource for which access bindings are being set.
To get the resource ID, use a corresponding List request. The maximum string length in characters is 50.
access_bindings[] AccessBinding
Required. Access bindings to be set. For more information, see Access Bindings.

AccessBinding

Field Description
role_id string
Required. ID of the yandex.cloud.iam.v1.Role that is assigned to the subject. The maximum string length in characters is 50.
subject Subject
Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier.

Subject

Field Description
id string
Required.
  • allAuthenticatedUsers: A special system identifier that represents anyone
  • allUsers: A special system identifier that represents anyone. No authentication is required.
  • <cloud generated id>: An identifier that represents a user account.
The maximum string length in characters is 50.
type string
Required.
  • userAccount: An account on Yandex or Yandex.Connect, added to Yandex.Cloud.
  • serviceAccount: A service account. This type represents the yandex.cloud.iam.v1.ServiceAccount resource.
  • federatedUser: A federated account. This type represents a user from an identity federation, like Active Directory.
  • system: System group. This type represents several accounts with a common system identifier.
The maximum string length in characters is 100.

Operation

Field Description
id string
ID of the operation.
description string
Description of the operation. 0-256 characters long.
created_at google.protobuf.Timestamp
Creation timestamp.
created_by string
ID of the user or service account who initiated the operation.
modified_at google.protobuf.Timestamp
The time when the Operation resource was last modified.
done bool
If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
metadata google.protobuf.Any<SetAccessBindingsMetadata>
Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
result oneof: error or response
The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
  error google.rpc.Status
The error result of the operation in case of failure or cancellation.
  response google.protobuf.Any<google.protobuf.Empty>
if operation finished successfully.

SetAccessBindingsMetadata

Field Description
resource_id string
ID of the resource for which access bindings are being set.

UpdateAccessBindings

Updates access bindings for the specified service account.

rpc UpdateAccessBindings (UpdateAccessBindingsRequest) returns (operation.Operation)

Metadata and response of Operation:

    Operation.metadata:UpdateAccessBindingsMetadata

    Operation.response:google.protobuf.Empty

UpdateAccessBindingsRequest

Field Description
resource_id string
Required. ID of the resource for which access bindings are being updated. The maximum string length in characters is 50.
access_binding_deltas[] AccessBindingDelta
Required. Updates to access bindings. The number of elements must be greater than 0.

AccessBindingDelta

Field Description
action enum AccessBindingAction
Required. The action that is being performed on an access binding.
  • ADD: Addition of an access binding.
  • REMOVE: Removal of an access binding.
    access_binding AccessBinding
    Required. Access binding. For more information, see Access Bindings.

    AccessBinding

    Field Description
    role_id string
    Required. ID of the yandex.cloud.iam.v1.Role that is assigned to the subject. The maximum string length in characters is 50.
    subject Subject
    Required. Identity for which access binding is being created. It can represent an account with a unique ID or several accounts with a system identifier.

    Subject

    Field Description
    id string
    Required.
    • allAuthenticatedUsers: A special system identifier that represents anyone
    • allUsers: A special system identifier that represents anyone. No authentication is required.
    • <cloud generated id>: An identifier that represents a user account.
    The maximum string length in characters is 50.
    type string
    Required.
    • userAccount: An account on Yandex or Yandex.Connect, added to Yandex.Cloud.
    • serviceAccount: A service account. This type represents the yandex.cloud.iam.v1.ServiceAccount resource.
    • federatedUser: A federated account. This type represents a user from an identity federation, like Active Directory.
    • system: System group. This type represents several accounts with a common system identifier.
    The maximum string length in characters is 100.

    Operation

    Field Description
    id string
    ID of the operation.
    description string
    Description of the operation. 0-256 characters long.
    created_at google.protobuf.Timestamp
    Creation timestamp.
    created_by string
    ID of the user or service account who initiated the operation.
    modified_at google.protobuf.Timestamp
    The time when the Operation resource was last modified.
    done bool
    If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
    metadata google.protobuf.Any<UpdateAccessBindingsMetadata>
    Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
    result oneof: error or response
    The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
      error google.rpc.Status
    The error result of the operation in case of failure or cancellation.
      response google.protobuf.Any<google.protobuf.Empty>
    if operation finished successfully.

    UpdateAccessBindingsMetadata

    Field Description
    resource_id string
    ID of the resource for which access bindings are being updated.

    ListOperations

    Lists operations for the specified service account.

    rpc ListOperations (ListServiceAccountOperationsRequest) returns (ListServiceAccountOperationsResponse)

    ListServiceAccountOperationsRequest

    Field Description
    service_account_id string
    Required. ID of the ServiceAccount resource to list operations for. The maximum string length in characters is 50.
    page_size int64
    The maximum number of results per page to return. If the number of available results is larger than page_size, the service returns a ListServiceAccountOperationsResponse.next_page_token that can be used to get the next page of results in subsequent list requests. Default value: 100. The maximum value is 1000.
    page_token string
    Page token. To get the next page of results, set page_token to the ListServiceAccountOperationsResponse.next_page_token returned by a previous list request. The maximum string length in characters is 100.

    ListServiceAccountOperationsResponse

    Field Description
    operations[] operation.Operation
    List of operations for the specified service account.
    next_page_token string
    This token allows you to get the next page of results for list requests. If the number of results is larger than ListServiceAccountOperationsRequest.page_size, use the next_page_token as the value for the ListServiceAccountOperationsRequest.page_token query parameter in the next list request. Each subsequent list request will have its own next_page_token to continue paging through the results.

    Operation

    Field Description
    id string
    ID of the operation.
    description string
    Description of the operation. 0-256 characters long.
    created_at google.protobuf.Timestamp
    Creation timestamp.
    created_by string
    ID of the user or service account who initiated the operation.
    modified_at google.protobuf.Timestamp
    The time when the Operation resource was last modified.
    done bool
    If the value is false, it means the operation is still in progress. If true, the operation is completed, and either error or response is available.
    metadata google.protobuf.Any
    Service-specific metadata associated with the operation. It typically contains the ID of the target resource that the operation is performed on. Any method that returns a long-running operation should document the metadata type, if any.
    result oneof: error or response
    The operation result. If done == false and there was no failure detected, neither error nor response is set. If done == false and there was a failure detected, error is set. If done == true, exactly one of error or response is set.
      error google.rpc.Status
    The error result of the operation in case of failure or cancellation.
      response google.protobuf.Any
    The normal response of the operation in case of success. If the original method returns no data on success, such as Delete, the response is google.protobuf.Empty. If the original method is the standard Create/Update, the response should be the target resource of the operation. Any method that returns a long-running operation should document the response type, if any.
    In this article: