Assign a role

To grant access to a resource, assign a role to the subject for that resource or the resource that the access rights are inherited from (such as a folder or cloud). For more information, see the section How access management in Yandex.Cloud works.

How to assign a role to a user

This section describes how to assign a role for a user's account on Yandex. The examples below show how to assign a role for a service account or all users at once.

In the management console, you can only assign a role for a cloud or folder:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. In the line with the appropriate user name, click Configure roles.
  3. To assign a role, click image in the Roles for the cloud or Roles in folders section next to the appropriate folder.
  4. Choose a role from the list.
  1. Choose a role from the list in the Roles section.

  2. Get a user ID.

  3. Assign the role using the command:

    yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
        --role <ROLE-ID> \
        --subject userAccount:<USER-ACCOUNT-ID>
    

    where:

    • <SERVICE-NAME> is the name of the service that the resource belongs to (for example, resource-manager).
    • <RESOURCE> is the resource category, for example cloud.
    • <RESOURCE-NAME> is the resource name. You can specify a resource by its name or identifier.
    • <RESOURCE-ID> is the resource identifier.
    • <ROLE-ID> is the identifier of the role (for example, resource-manager.clouds.owner).
    • <USER-ACCOUNT-ID> is the identifier of the user account assigned the role.

    For example, assign the viewer role for the cloud mycloud:

    $ yc resource-manager cloud add-access-binding mycloud \
        --role viewer \
        --subject userAccount:aje6o61dvog2h6g9a33s
    

Use the updateAccessBindings method for the corresponding resource.

  1. Choose a role from the list in the Roles section.

  2. Get a user ID.

  3. Create a request body, for example, in a body.json file. Set the action property to ADD and specify the userAccount type and user ID in the subject property:

    body.json:

    {
        "accessBindingDeltas": [{
            "action": "ADD",
            "accessBinding": {
                "roleId": "editor",
                "subject": {
                    "id": "gfei8n54hmfhuk5nogse",
                    "type": "userAccount"
                    }
                }
            }
        ]
    }
    
  4. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d @body.json \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    

For detailed instructions on how to assign a role for the corresponding resource, see:

Examples

Assign multiple roles

Follow the instructions at the beginning of the section and assign multiple roles to the user.

To assign a role to another user, repeat all the steps in the instructions.

The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.

Warning

The set-access-binding command completely rewrites the access rights to the resource. All current resource roles will be deleted.

For example, to assign multiple roles for a folder:

  1. Make sure the resource doesn't have any roles that you don't want to lose:

    $ yc resource-manager folder list-access-binding my-folder
    
  2. Assign roles. For example, assign the editor role to one user and the viewer role to another user:

    $ yc resource-manager folder set-access-bindings my-folder \
        --access-binding role=editor,subject=userAccount:gfei8n54hmfhuk5nogse
        --access-binding role=viewer,subject=userAccount:helj89sfj80aj24nugsz
    
  1. To assign the editor role to one user and the viewer role to another user, add multiple access bindings to the request body file in accessBindingDeltas.

    body.json:

    {
        "accessBindingDeltas": [{
            "action": "ADD",
            "accessBinding": {
                "roleId": "editor",
                "subject": {
                    "id": "gfei8n54hmfhuk5nogse",
                    "type": "userAccount"
                }
            }
        },{
            "action": "ADD",
            "accessBinding": {
                "roleId": "viewer",
                "subject": {
                    "id": "helj89sfj80aj24nugsz",
                    "type": "userAccount"
                }
            }
        }]
    }
    
  2. Assign the specified roles, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d @body.json \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    

You can also assign roles using the setAccessBindings method.

Warning

The setAccessBindings method completely rewrites the access rights to the resource. All current resource roles will be deleted.

  1. List new access bindings in the request body.

    body.json:

    {
        "accessBindings": [{
            "roleId": "editor",
            "subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" }
        },{
            "roleId": "viewer",
            "subject": { "id": "helj89sfj80aj24nugsz", "type": "userAccount" }
        }]
    }
    
  2. Assign roles:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d @body.json \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:setAccessBindings"
    

Resource access for a service account

In the management console you can only assign a role for the folder where the service account was created. To assign it a role for another resource, use the CLI or API.

To assign a role for the folder where the service account was created:

  1. Select a folder.
  2. Select the Service accounts tab.
  3. Click image next to the service account and select Edit service account.
  4. Click Add role and select a role.
  5. Click Save.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id flag.

To assign the service account a role for a resource, run:

yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
    --role <ROLE-ID> \
    --subject serviceAccount:<SERVICE-ACCOUNT-ID>

where:

  • <SERVICE-NAME> is the name of the service that the resource belongs to (for example, resource-manager).
  • <RESOURCE> is the resource category, for example cloud.
  • <RESOURCE-NAME> is the resource name. You can specify a resource by its name or identifier.
  • <RESOURCE-ID> is the resource identifier.
  • <ROLE-ID> is the identifier of the role (for example, resource-manager.clouds.owner).
  • <SERVICE-ACCOUNT-ID> is the identifier of the service account assigned the role.

For example, to assign the viewer role to a service account for the folder my-folder:

  1. Find out the service account ID by its name:

    $ yc iam service-account get my-robot
    id: aje6o61dvog2h6g9a33s
    folder_id: b1gvmob03goohplct641
    created_at: "2018-10-15T18:01:25Z"
    name: my-robot
    

    If you don't know the name of the service account, get a list of service accounts with their IDs:

    $ yc iam service-account list
    +----------------------+------------------+-----------------+
    |          ID          |       NAME       |   DESCRIPTION   |
    +----------------------+------------------+-----------------+
    | aje6o61dvog2h6g9a33s | my-robot         | my description  |
    +----------------------+------------------+-----------------+
    
  2. Assign a role to the my-robot service account using its ID:

    $ yc resource-manager folder add-access-binding my-folder \
        --role viewer \
        --subject serviceAccount:aje6o61dvog2h6g9a33s
    
  1. Get the ID of the folder with the service accounts.

  2. Get a list of folder service accounts to find out their IDs:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -H "Authorization: Bearer ${IAM_TOKEN}" \
        "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
    
    {
     "serviceAccounts": [
      {
       "id": "ajebqtreob2dpblin8pe",
       "folderId": "b1gd129pp9ha0vnvf5g7",
       "createdAt": "2018-10-18T13:42:40Z",
       "name": "my-robot",
       "description": "my description"
      }
     ]
    }
    
  3. Create a request body, for example, in a body.json file. Set the action property to ADD and specify the serviceAccount type and service account ID in the subject property:

    body.json:

    {
        "accessBindingDeltas": [{
            "action": "ADD",
            "accessBinding": {
                "roleId": "editor",
                "subject": {
                    "id": "ajebqtreob2dpblin8pe",
                    "type": "serviceAccount"
                    }
                }
            }
        ]
    }
    
  4. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d @body.json \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    

Access to a resource for all users

You can grant access to a resource to all Yandex.Cloud users. To do this, assign a role to the system group allAuthenticatedUsers.

Allow any authenticated user to view information about a folder and its resources:

Assign the viewer for the my-folder folder. Set the subject type to system and its ID to allAuthenticatedUsers:

$ yc resource-manager folder add-access-binding my-folder \
    --role viewer \
    --subject system:allAuthenticatedUsers
  1. Create a request body, for example, in a body.json file. In roleId, assign the viewer role. In the subject property, specify the system type and the allAuthenticatedUsers ID:

    body.json:

    {
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "viewer",
            "subject": {
                "id": "allAuthenticatedUsers",
                "type": "system"
                }
            }
        }]
    }
    
  2. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d @body.json \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"