Get started
Yandex Identity and Access Management

Assigning roles

To grant access to a resource, assign a role to the subject for that resource or the resource that the access rights are inherited from (such as a folder or cloud). For more information, see How access management in Yandex.Cloud works.

Assign a role to a user

This section describes how to assign a role to a user with a Yandex account. The examples below show how to assign roles to a service account, federated user, and all users at once.

In the management console, you can only assign a role for a cloud or folder:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click image, and choose Configure roles.

  3. To add a cloud role, click image in the Roles for cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Choose a role from the list.

  1. Choose a role from the list in the Roles section.

  2. Get a user ID.

  3. Assign the role using the command:

    yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
    --role <ROLE-ID> \
    --subject userAccount:<USER-ACCOUNT-ID>

    where:

    • <SERVICE-NAME> is the name of the service that the resource belongs to (for example, resource-manager).
    • <RESOURCE> is the resource category, for example cloud.
    • <RESOURCE-NAME> is the name of the resource. You can specify a resource by its name or ID.
    • <RESOURCE-ID> is the resource ID.
    • <ROLE-ID> is the role ID, for example resource-manager.clouds.owner.
    • <USER-ACCOUNT-ID> is the ID of the user account assigned the role.

    For example, assign the viewer role for the cloud mycloud:

    $ yc resource-manager cloud add-access-binding mycloud \
    --role viewer \
    --subject userAccount:aje6o61dvog2h6g9a33s

Use the updateAccessBindings method for the corresponding resource.

  1. Choose a role from the list in the Roles section.

  2. Get a user ID.

  3. Create a request body, for example, in a body.json file. Set the action property to ADD and specify the userAccount type and user ID in the subject property:

    body.json:

    {
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "editor",
            "subject": {
                "id": "gfei8n54hmfhuk5nogse",
                "type": "userAccount"
                }
            }
        }
    ]
}

  4. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
$ export IAM_TOKEN=CggaATEVAgA...
$ curl -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${IAM_TOKEN}" \
    -d '@body.json' \
    "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

For detailed instructions on how to assign a role for the corresponding resource, see:

Examples

Assign multiple roles

Follow the instructions at the beginning of the section and assign multiple roles to the user.

To assign a role to another user, repeat all the steps in the instructions.

The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.

Alert

The set-access-binding command completely rewrites the access rights to the resource. All current resource roles will be deleted.

For example, to assign multiple roles for a folder:

  1. Make sure the resource doesn't have any roles that you don't want to lose:

    $ yc resource-manager folder list-access-binding my-folder

  2. Assign roles. For example, assign the editor role to one user and the viewer role to another user:

    $ yc resource-manager folder set-access-bindings my-folder \
    --access-binding role=editor,subject=userAccount:gfei8n54hmfhuk5nogse
    --access-binding role=viewer,subject=userAccount:helj89sfj80aj24nugsz

  1. To assign the editor role to one user and the viewer role to another user, add multiple access bindings to the request body file in accessBindingDeltas.

    body.json:

    {
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "editor",
            "subject": {
                "id": "gfei8n54hmfhuk5nogse",
                "type": "userAccount"
            }
        }
    },{
        "action": "ADD",
        "accessBinding": {
            "roleId": "viewer",
            "subject": {
                "id": "helj89sfj80aj24nugsz",
                "type": "userAccount"
            }
        }
    }]
}

  2. Assign the specified roles, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
$ export IAM_TOKEN=CggaATEVAgA...
$ curl -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${IAM_TOKEN}" \
    -d '@body.json' \
    "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

You can also assign roles using the setAccessBindings method.

Alert

The setAccessBindings method completely rewrites the access rights to the resource! All current resource roles will be deleted.

  1. List new access bindings in the request body.

    body.json:

    {
    "accessBindings": [{
        "roleId": "editor",
        "subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" }
    },{
        "roleId": "viewer",
        "subject": { "id": "helj89sfj80aj24nugsz", "type": "userAccount" }
    }]
}

  2. Assign roles:

    $ export FOLDER_ID=b1gvmob95yysaplct532
$ export IAM_TOKEN=CggaATEVAgA...
$ curl -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${IAM_TOKEN}" \
    -d '@body.json' \
    "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:setAccessBindings"

Resource access for a service account

A service account can only be assigned roles for the resources of the cloud that the service account belongs to.

In the management console, you can only assign a role for the folder where the service account was created. To assign it a role for another resource, use the CLI or API.

To assign a role for the folder where the service account was created:

  1. Select a folder.
  2. Go to the Service accounts tab.
  3. Click image next to the service account and select Edit service account.
  4. Click Add role and select a role.
  5. Click Save.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign the service account a role for a resource, run:

yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
    --role <ROLE-ID> \
    --subject serviceAccount:<SERVICE-ACCOUNT-ID>

where:

  • <SERVICE-NAME> is the name of the service that the resource belongs to (for example, resource-manager).
  • <RESOURCE> is the resource category, for example cloud.
  • <RESOURCE-NAME> is the name of the resource. You can specify a resource by its name or ID.
  • <RESOURCE-ID> is the resource ID.
  • <ROLE-ID> is the role ID, for example resource-manager.clouds.owner.
  • <SERVICE-ACCOUNT-ID> is the identifier of the service account assigned the role.

For example, to assign the viewer role to a service account for the folder my-folder:

  1. Find out the service account ID by its name:

    $ yc iam service-account get my-robot
id: aje6o61dvog2h6g9a33s
folder_id: b1gvmob95yysaplct532
created_at: "2018-10-15T18:01:25Z"
name: my-robot

    If you don't know the name of the service account, get a list of service accounts with their IDs:

    $ yc iam service-account list
+----------------------+------------------+-----------------+
|          ID          |       NAME       |   DESCRIPTION   |
+----------------------+------------------+-----------------+
| aje6o61dvog2h6g9a33s | my-robot         | my description  |
+----------------------+------------------+-----------------+

  2. Assign a role to the my-robot service account using its ID:

    $ yc resource-manager folder add-access-binding my-folder \
    --role viewer \
    --subject serviceAccount:aje6o61dvog2h6g9a33s

  1. Get the ID of the folder with service accounts.

  2. Get a list of folder service accounts to find out their IDs:

    $ export FOLDER_ID=b1gvmob95yysaplct532
$ export IAM_TOKEN=CggaATEVAgA...
$ curl -H "Authorization: Bearer ${IAM_TOKEN}" \
    "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"

{
 "serviceAccounts": [
  {
   "id": "ajebqtreob2dpblin8pe",
   "folderId": "b1gvmob95yysaplct532",
   "createdAt": "2018-10-18T13:42:40Z",
   "name": "my-robot",
   "description": "my description"
  }
 ]
}

  3. Create a request body, for example, in a body.json file. Set the action property to ADD and specify the serviceAccount type and service account ID in the subject property:

    body.json:

    {
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "editor",
            "subject": {
                "id": "ajebqtreob2dpblin8pe",
                "type": "serviceAccount"
                }
            }
        }
    ]
}

  4. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
$ export IAM_TOKEN=CggaATEVAgA...
$ curl -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${IAM_TOKEN}" \
    -d '@body.json' \
    "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

Resource access for a federated user

A federated user can only be assigned roles for the resources of the cloud that the federation belongs to.

Currently, a federated user can only be assigned a role from the management console.

The role assignment procedure is the same as for a user with a Yandex account. The user's federation name is shown next to the username.

In the management console, you can only assign a role for a cloud or folder:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click image, and choose Configure roles.

  3. To add a cloud role, click image in the Roles for cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Choose a role from the list.

Access to a resource for all users

You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers or allUsers.

You can assign any role to the system group, except resource-manager.clouds.owner and resource-manager.clouds.member.

Alert

Do not assign a system group the editor or admin role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex.Cloud at your expense.

For example, allow any authenticated user to view information about a folder and its resources:

Assign the viewer for the my-folder folder. Set the subject type to system and its ID to allAuthenticatedUsers:

$ yc resource-manager folder add-access-binding my-folder \
    --role viewer \
    --subject system:allAuthenticatedUsers

  1. Create a request body, for example, in a body.json file. In roleId, assign the viewer role. In the subject property, specify the system type and the allAuthenticatedUsers ID:

    body.json:

    {
"accessBindingDeltas": [{
    "action": "ADD",
    "accessBinding": {
        "roleId": "viewer",
        "subject": {
            "id": "allAuthenticatedUsers",
            "type": "system"
            }
        }
    }]
}

  2. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
$ export IAM_TOKEN=CggaATEVAgA...
$ curl -X POST \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer ${IAM_TOKEN}" \
    -d '@body.json' \
    "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"