Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for a service account
      • Creating static access keys
      • Getting the service account ID
      • Deleting service accounts
    • Identity federations
      • Authentication using Active Directory
      • Authentication using G Suite
      • Authentication using an identity federation
      • Adding users
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • SAML-compatible identity federations
    • Quotas and limits
  • How to use Yandex.Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • Federation
        • Overview
        • update
        • list
        • listUserAccounts
        • get
        • delete
        • addUserAccounts
        • create
        • listOperations
      • Certificate
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
      • AccessKey
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on the same page
  1. Step-by-step instructions
  2. Roles
  3. Assigning roles

Assigning roles

  • Assign a role to a user
  • Examples
    • Assign multiple roles
    • Resource access for a service account
    • Resource access for a federated user
    • Access to a resource for all users

To grant access to a resource, assign a role to the subject for that resource or the resource that the access rights are inherited from (such as a folder or cloud). For more information, see How access management works in Yandex.Cloud.

Assign a role to a user

This section describes how to assign a role to a user with a Yandex account. The examples below show how to assign roles to a service account, federated user, and all users at once.

Management console
CLI
API

In the management console, you can only assign a role for a cloud or folder:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click , and choose Configure roles.

  3. To add a cloud role, click in the Roles for cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Choose a role from the list.

  1. Choose a role from the list in the Roles section.

  2. Get a user ID.

  3. Assign the role using the command:

    yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
        --role <ROLE-ID> \
        --subject userAccount:<USER-ACCOUNT-ID>
    

    where:

    • <SERVICE-NAME> is the name of the service that the resource belongs to (for example, resource-manager).
    • <RESOURCE> is the resource category, for example cloud.
    • <RESOURCE-NAME> is the name of the resource. You can specify a resource by its name or ID.
    • <RESOURCE-ID> is the resource ID.
    • <ROLE-ID> is the role ID, for example resource-manager.clouds.owner.
    • <USER-ACCOUNT-ID> is the ID of the user account assigned the role.

    For example, assign the viewer role for the cloud mycloud:

    $ yc resource-manager cloud add-access-binding mycloud \
        --role viewer \
        --subject userAccount:aje6o61dvog2h6g9a33s
    

Use the updateAccessBindings method for the corresponding resource.

  1. Choose a role from the list in the Roles section.

  2. Get a user ID.

  3. Create a request body, for example, in a body.json file. Set the action property to ADD and specify the userAccount type and user ID in the subject property:

    body.json:

    {
        "accessBindingDeltas": [{
            "action": "ADD",
            "accessBinding": {
                "roleId": "editor",
                "subject": {
                    "id": "gfei8n54hmfhuk5nogse",
                    "type": "userAccount"
                    }
                }
            }
        ]
    }
    
  4. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d '@body.json' \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    

For detailed instructions on how to assign a role for the corresponding resource, see:

  • Setting up access rights for a service account
  • Setting up cloud access rights
  • Setting up folder access rights

Examples

  • Assign multiple roles
  • Resource access for a service account
  • Resource access for a federated user
  • Access to a resource for all users

Assign multiple roles

Management console
CLI
API

Follow the instructions at the beginning of the section and assign multiple roles to the user.

To assign a role to another user, repeat all the steps in the instructions.

The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.

Alert

The set-access-binding command completely rewrites the access rights to the resource. All current resource roles will be deleted.

For example, to assign multiple roles for a folder:

  1. Make sure the resource doesn't have any roles that you don't want to lose:

    $ yc resource-manager folder list-access-binding my-folder
    
  2. Assign roles. For example, assign the editor role to one user and the viewer role to another user:

    $ yc resource-manager folder set-access-bindings my-folder \
        --access-binding role=editor,subject=userAccount:gfei8n54hmfhuk5nogse
        --access-binding role=viewer,subject=userAccount:helj89sfj80aj24nugsz
    
  1. To assign the editor role to one user and the viewer role to another user, add multiple access bindings to the request body file in accessBindingDeltas.

    body.json:

    {
        "accessBindingDeltas": [{
            "action": "ADD",
            "accessBinding": {
                "roleId": "editor",
                "subject": {
                    "id": "gfei8n54hmfhuk5nogse",
                    "type": "userAccount"
                }
            }
        },{
            "action": "ADD",
            "accessBinding": {
                "roleId": "viewer",
                "subject": {
                    "id": "helj89sfj80aj24nugsz",
                    "type": "userAccount"
                }
            }
        }]
    }
    
  2. Assign the specified roles, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d '@body.json' \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    

You can also assign roles using the setAccessBindings method.

Alert

The setAccessBindings method completely rewrites the access rights to the resource! All current resource roles will be deleted.

  1. List new access bindings in the request body.

    body.json:

    {
        "accessBindings": [{
            "roleId": "editor",
            "subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" }
        },{
            "roleId": "viewer",
            "subject": { "id": "helj89sfj80aj24nugsz", "type": "userAccount" }
        }]
    }
    
  2. Assign roles:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d '@body.json' \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:setAccessBindings"
    

Resource access for a service account

A service account can only be assigned roles for the resources of the cloud that the service account belongs to.

In the management console, you can only assign a role for the folder where the service account was created. To assign it a role for another resource, use the CLI or API.

Management console
CLI
API

To assign a role for the folder where the service account was created:

  1. Select a folder.
  2. Go to the Service accounts tab.
  3. Click next to the service account and select Edit service account.
  4. Click Add role and select a role.
  5. Click Save.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign the service account a role for a resource, run:

yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
    --role <ROLE-ID> \
    --subject serviceAccount:<SERVICE-ACCOUNT-ID>

where:

  • <SERVICE-NAME> is the name of the service that the resource belongs to (for example, resource-manager).
  • <RESOURCE> is the resource category, for example cloud.
  • <RESOURCE-NAME> is the name of the resource. You can specify a resource by its name or ID.
  • <RESOURCE-ID> is the resource ID.
  • <ROLE-ID> is the role ID, for example resource-manager.clouds.owner.
  • <SERVICE-ACCOUNT-ID> is the identifier of the service account assigned the role.

For example, to assign the viewer role to a service account for the folder my-folder:

  1. Find out the service account ID by its name:

    $ yc iam service-account get my-robot
    id: aje6o61dvog2h6g9a33s
    folder_id: b1gvmob95yysaplct532
    created_at: "2018-10-15T18:01:25Z"
    name: my-robot
    

    If you don't know the name of the service account, get a list of service accounts with their IDs:

    $ yc iam service-account list
    +----------------------+------------------+-----------------+
    |          ID          |       NAME       |   DESCRIPTION   |
    +----------------------+------------------+-----------------+
    | aje6o61dvog2h6g9a33s | my-robot         | my description  |
    +----------------------+------------------+-----------------+
    
  2. Assign a role to the my-robot service account using its ID:

    $ yc resource-manager folder add-access-binding my-folder \
        --role viewer \
        --subject serviceAccount:aje6o61dvog2h6g9a33s
    
  1. Get the ID of the folder with service accounts.

  2. Get a list of folder service accounts to find out their IDs:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -H "Authorization: Bearer ${IAM_TOKEN}" \
        "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
    
    {
     "serviceAccounts": [
      {
       "id": "ajebqtreob2dpblin8pe",
       "folderId": "b1gvmob95yysaplct532",
       "createdAt": "2018-10-18T13:42:40Z",
       "name": "my-robot",
       "description": "my description"
      }
     ]
    }
    
  3. Create a request body, for example, in a body.json file. Set the action property to ADD and specify the serviceAccount type and service account ID in the subject property:

    body.json:

    {
        "accessBindingDeltas": [{
            "action": "ADD",
            "accessBinding": {
                "roleId": "editor",
                "subject": {
                    "id": "ajebqtreob2dpblin8pe",
                    "type": "serviceAccount"
                    }
                }
            }
        ]
    }
    
  4. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d '@body.json' \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    

Resource access for a federated user

A federated user can only be assigned roles for the resources of the cloud that the federation belongs to.

Currently, a federated user can only be assigned a role from the management console.

Management console

The role assignment procedure is the same as for a user with a Yandex account. The user's federation name is shown next to the username.

In the management console, you can only assign a role for a cloud or folder:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click , and choose Configure roles.

  3. To add a cloud role, click in the Roles for cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Choose a role from the list.

Access to a resource for all users

You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers or allUsers.

You can assign any role to the system group, except resource-manager.clouds.owner and resource-manager.clouds.member.

Alert

Do not assign a system group the editor or admin role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex.Cloud at your expense.

For example, allow any authenticated user to view information about a folder and its resources:

CLI
API

Assign the viewer for the my-folder folder. Set the subject type to system and its ID to allAuthenticatedUsers:

$ yc resource-manager folder add-access-binding my-folder \
    --role viewer \
    --subject system:allAuthenticatedUsers
  1. Create a request body, for example, in a body.json file. In roleId, assign the viewer role. In the subject property, specify the system type and the allAuthenticatedUsers ID:

    body.json:

    {
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "viewer",
            "subject": {
                "id": "allAuthenticatedUsers",
                "type": "system"
                }
            }
        }]
    }
    
  2. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d '@body.json' \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    
In this article:
  • Assign a role to a user
  • Examples
  • Assign multiple roles
  • Resource access for a service account
  • Resource access for a federated user
  • Access to a resource for all users
Language
Careers
Privacy policy
Terms of use
© 2021 Yandex.Cloud LLC