Assigning roles
To grant access to a resource, assign a role to the subject for that resource or the resource that the access rights are inherited from (such as a folder or cloud). For more information, see How access management works in Yandex.Cloud.
Assign a role to a user
This section describes how to assign a role to a user with a Yandex account. The examples below show how to assign roles to a service account, federated user, and all users at once.
In the management console, you can only assign a role for a cloud or folder:
-
Open the Access management page for the selected cloud. If necessary, switch to another cloud.
-
Select the user to assign the role to, click , and choose Configure roles.
-
To add a cloud role, click in the Roles for cloud
section. To add a folder role, select the folder and click Assign role in the Roles in folders section.
-
Choose a role from the list.
-
Choose a role from the list in the Roles section.
-
Assign the role using the command:
yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \ --role <ROLE-ID> \ --subject userAccount:<USER-ACCOUNT-ID>
where:
<SERVICE-NAME>
is the name of the service that the resource belongs to (for example,resource-manager
).<RESOURCE>
is the resource category, for examplecloud
.<RESOURCE-NAME>
is the name of the resource. You can specify a resource by its name or ID.<RESOURCE-ID>
is the resource ID.<ROLE-ID>
is the role ID, for exampleresource-manager.clouds.owner
.<USER-ACCOUNT-ID>
is the ID of the user account assigned the role.
For example, assign the
viewer
role for the cloudmycloud
:$ yc resource-manager cloud add-access-binding mycloud \ --role viewer \ --subject userAccount:aje6o61dvog2h6g9a33s
Use the updateAccessBindings
method for the corresponding resource.
-
Choose a role from the list in the Roles section.
-
Create a request body, for example, in a
body.json
file. Set theaction
property toADD
and specify theuserAccount
type and user ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "gfei8n54hmfhuk5nogse", "type": "userAccount" } } } ] }
-
Assign a role, say, for the folder with the
b1gvmob95yysaplct532
ID:$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
For detailed instructions on how to assign a role for the corresponding resource, see:
Examples
- Assign multiple roles
- Resource access for a service account
- Resource access for a federated user
- Access to a resource for all users
Assign multiple roles
Follow the instructions at the beginning of the section and assign multiple roles to the user.
To assign a role to another user, repeat all the steps in the instructions.
The add-access-binding
command allows you to add only one role. You can assign multiple roles using the set-access-binding
command.
Alert
The set-access-binding
command completely rewrites the access rights to the resource. All current resource roles will be deleted.
For example, to assign multiple roles for a folder:
-
Make sure the resource doesn't have any roles that you don't want to lose:
$ yc resource-manager folder list-access-binding my-folder
-
Assign roles. For example, assign the
editor
role to one user and theviewer
role to another user:$ yc resource-manager folder set-access-bindings my-folder \ --access-binding role=editor,subject=userAccount:gfei8n54hmfhuk5nogse --access-binding role=viewer,subject=userAccount:helj89sfj80aj24nugsz
-
To assign the
editor
role to one user and theviewer
role to another user, add multiple access bindings to the request body file inaccessBindingDeltas
.body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "gfei8n54hmfhuk5nogse", "type": "userAccount" } } },{ "action": "ADD", "accessBinding": { "roleId": "viewer", "subject": { "id": "helj89sfj80aj24nugsz", "type": "userAccount" } } }] }
-
Assign the specified roles, say, for the folder with the
b1gvmob95yysaplct532
ID:$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
You can also assign roles using the setAccessBindings
method.
Alert
The setAccessBindings
method completely rewrites the access rights to the resource! All current resource roles will be deleted.
-
List new access bindings in the request body.
body.json:
{ "accessBindings": [{ "roleId": "editor", "subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" } },{ "roleId": "viewer", "subject": { "id": "helj89sfj80aj24nugsz", "type": "userAccount" } }] }
-
Assign roles:
$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:setAccessBindings"
Resource access for a service account
A service account can only be assigned roles for the resources of the cloud that the service account belongs to.
In the management console, you can only assign a role for the folder where the service account was created. To assign it a role for another resource, use the CLI or API.
To assign a role for the folder where the service account was created:
- Select a folder.
- Go to the Service accounts tab.
- Click next to the service account and select Edit service account.
- Click Add role and select a role.
- Click Save.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign the service account a role for a resource, run:
yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
--role <ROLE-ID> \
--subject serviceAccount:<SERVICE-ACCOUNT-ID>
where:
<SERVICE-NAME>
is the name of the service that the resource belongs to (for example,resource-manager
).<RESOURCE>
is the resource category, for examplecloud
.<RESOURCE-NAME>
is the name of the resource. You can specify a resource by its name or ID.<RESOURCE-ID>
is the resource ID.<ROLE-ID>
is the role ID, for exampleresource-manager.clouds.owner
.<SERVICE-ACCOUNT-ID>
is the identifier of the service account assigned the role.
For example, to assign the viewer
role to a service account for the folder my-folder
:
-
Find out the service account ID by its name:
$ yc iam service-account get my-robot id: aje6o61dvog2h6g9a33s folder_id: b1gvmob95yysaplct532 created_at: "2018-10-15T18:01:25Z" name: my-robot
If you don't know the name of the service account, get a list of service accounts with their IDs:
$ yc iam service-account list +----------------------+------------------+-----------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-----------------+ | aje6o61dvog2h6g9a33s | my-robot | my description | +----------------------+------------------+-----------------+
-
Assign a role to the
my-robot
service account using its ID:$ yc resource-manager folder add-access-binding my-folder \ --role viewer \ --subject serviceAccount:aje6o61dvog2h6g9a33s
-
Get the ID of the folder with service accounts.
-
Get a list of folder service accounts to find out their IDs:
$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -H "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}" { "serviceAccounts": [ { "id": "ajebqtreob2dpblin8pe", "folderId": "b1gvmob95yysaplct532", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] }
-
Create a request body, for example, in a
body.json
file. Set theaction
property toADD
and specify theserviceAccount
type and service account ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "ajebqtreob2dpblin8pe", "type": "serviceAccount" } } } ] }
-
Assign a role, say, for the folder with the
b1gvmob95yysaplct532
ID:$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
Resource access for a federated user
A federated user can only be assigned roles for the resources of the cloud that the federation belongs to.
Currently, a federated user can only be assigned a role from the management console.
The role assignment procedure is the same as for a user with a Yandex account. The user's federation name is shown next to the username.
In the management console, you can only assign a role for a cloud or folder:
-
Open the Access management page for the selected cloud. If necessary, switch to another cloud.
-
Select the user to assign the role to, click , and choose Configure roles.
-
To add a cloud role, click in the Roles for cloud
section. To add a folder role, select the folder and click Assign role in the Roles in folders section.
-
Choose a role from the list.
Access to a resource for all users
You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers
or allUsers
.
You can assign any role to the system group, except resource-manager.clouds.owner
and resource-manager.clouds.member
.
Alert
Do not assign a system group the editor
or admin
role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex.Cloud at your expense.
For example, allow any authenticated user to view information about a folder and its resources:
Assign the viewer
for the my-folder
folder. Set the subject type to system
and its ID to allAuthenticatedUsers
:
$ yc resource-manager folder add-access-binding my-folder \
--role viewer \
--subject system:allAuthenticatedUsers
-
Create a request body, for example, in a
body.json
file. InroleId
, assign theviewer
role. In thesubject
property, specify thesystem
type and theallAuthenticatedUsers
ID:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "viewer", "subject": { "id": "allAuthenticatedUsers", "type": "system" } } }] }
-
Assign a role, say, for the folder with the
b1gvmob95yysaplct532
ID:$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"