Viewing assigned roles

    To view the permissions granted to an account for a resource, retrieve the list of roles assigned for the resource and its parent resources. Assigned roles are inherited by child resources from their parent resources. For example, if you want to find the permissions an account has for a folder, look at the roles for that folder and the cloud that the folder belongs to.

    To view permissions for all resources in a cloud, repeat this operation for every resource you can assign a role for. No single command is currently supported for retrieving the complete list of an account's roles in a cloud.

    To view the roles of a user with a Yandex account or federated user:

    1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

    2. Select the user to assign the role to, click image, and choose Configure roles.

    For a service account, in the management console you can only view the roles for the folder where the service account was created (to view roles for other resources, use the CLI or API):

    1. Go to the folder that the service account belongs to.
    2. Go to the Service accounts tab.
    3. The service account's roles for the current folder are listed in the column Roles in folder.
    1. Get your account ID:

      1. Instructions for service accounts.
      2. Instructions for users with a Yandex account and federated users.
    2. Get the resource ID or name.

    3. View the roles assigned for a resource:

      $ yc <SERVICE-NAME> <RESOURCE> list-access-bindings <RESOURCE-NAME>|<RESOURCE-ID>
      

      where:

      • <SERVICE-NAME> is the name of the service that the resource belongs to (for example, resource-manager).
      • <RESOURCE> is the category of the resource, such as folder.
      • <RESOURCE-NAME> is the name of the resource. You can specify a resource by its name or ID.
      • <RESOURCE-ID> is the resource ID.

      For example, you can view what roles were assigned for the default folder and to whom:

      $  yc resource-manager folder list-access-bindings default
      +---------------------+----------------+----------------------+
      |       ROLE ID       |  SUBJECT TYPE  |      SUBJECT ID      |
      +---------------------+----------------+----------------------+
      | editor              | serviceAccount | ajepg0mjas06siuj5usm |
      | viewer              | userAccount    | aje6o61dvog2h6g9a33s |
      +---------------------+----------------+----------------------+
      

      In the server response, find all the rows where the subject contains the account ID and system groups allUsers and allAuthenticatedUsers.

    4. Repeat the previous two steps for all the parent resources.

    1. Get your account ID:

      1. Instructions for service accounts.
      2. Instructions for users with a Yandex account and federated users.
    2. Get the resource ID or name.

    3. View what roles were assigned for resources and to whom using the listAccessBindings method. For example, to view the roles for the folder b1gvmob95yysaplct532:

      $ export FOLDER_ID=b1gvmob95yysaplct532
      $ export IAM_TOKEN=CggaATEVAgA...
      $ curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"
      
      {
        "accessBindings": [
        {
          "subject": {
            "id": "ajei8n54hmfhuk5nog0g",
            "type": "userAccount"
          },
          "roleId": "editor"
        }
        ]
      }
      

      In the server response, find all the rows where the subject contains the account ID and system groups allUsers and allAuthenticatedUsers.

    4. Repeat the previous two steps for all the parent resources.

    See also