Assign a role
To grant access to a resource, assign a role to the subject for that resource or the resource that the access rights are inherited from (such as a folder or cloud). For more information, see the section How access management in Yandex.Cloud works.
How to assign a role to a user
This section describes how to assign a role for a user's account on Yandex. The examples below show how to assign a role for a service account or all users at once.
In the management console, you can only assign a role for a cloud or folder:
-
Open the Access management page for the selected cloud. If necessary, switch to another cloud.
-
Select the user to assign the role to, click
, and choose Configure roles. -
To add a cloud role, click
in the Roles for cloud section. To add a folder role, select the folder and click Assign role in the Roles in folders section.
-
Choose a role from the list.
-
Choose a role from the list in the Roles section.
-
Assign the role using the command:
yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \ --role <ROLE-ID> \ --subject userAccount:<USER-ACCOUNT-ID>where:
<SERVICE-NAME>is the name of the service that the resource belongs to (for example,resource-manager).<RESOURCE>is the resource category, for examplecloud.<RESOURCE-NAME>is the name of the resource. You can specify a resource by its name or identifier.<RESOURCE-ID>is the resource identifier.<ROLE-ID>is the identifier of the role (for example,resource-manager.clouds.owner).<USER-ACCOUNT-ID>is the identifier of the user account assigned the role.
For example, assign the
viewerrole for the cloudmycloud:$ yc resource-manager cloud add-access-binding mycloud \ --role viewer \ --subject userAccount:aje6o61dvog2h6g9a33s
Use the updateAccessBindings method for the corresponding resource.
-
Choose a role from the list in the Roles section.
-
Create a request body, for example, in a
body.jsonfile. Set theactionproperty toADDand specify theuserAccounttype and user ID in thesubjectproperty:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "gfei8n54hmfhuk5nogse", "type": "userAccount" } } } ] } -
Assign a role, say, for the folder with the
b1gvmob95yysaplct532ID:$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d @body.json \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
For detailed instructions on how to assign a role for the corresponding resource, see:
Examples
Assign multiple roles
Follow the instructions at the beginning of the section and assign multiple roles to the user.
To assign a role to another user, repeat all the steps in the instructions.
The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.
Warning
The set-access-binding command completely rewrites the access rights to the resource. All current resource roles will be deleted.
For example, to assign multiple roles for a folder:
-
Make sure the resource doesn't have any roles that you don't want to lose:
$ yc resource-manager folder list-access-binding my-folder -
Assign roles. For example, assign the
editorrole to one user and theviewerrole to another user:$ yc resource-manager folder set-access-bindings my-folder \ --access-binding role=editor,subject=userAccount:gfei8n54hmfhuk5nogse --access-binding role=viewer,subject=userAccount:helj89sfj80aj24nugsz
-
To assign the
editorrole to one user and theviewerrole to another user, add multiple access bindings to the request body file inaccessBindingDeltas.body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "gfei8n54hmfhuk5nogse", "type": "userAccount" } } },{ "action": "ADD", "accessBinding": { "roleId": "viewer", "subject": { "id": "helj89sfj80aj24nugsz", "type": "userAccount" } } }] } -
Assign the specified roles, say, for the folder with the
b1gvmob95yysaplct532ID:$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d @body.json \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
You can also assign roles using the setAccessBindings method.
Warning
The setAccessBindings method completely rewrites the access rights to the resource. All current resource roles will be deleted.
-
List new access bindings in the request body.
body.json:
{ "accessBindings": [{ "roleId": "editor", "subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" } },{ "roleId": "viewer", "subject": { "id": "helj89sfj80aj24nugsz", "type": "userAccount" } }] } -
Assign roles:
$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d @body.json \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:setAccessBindings"
Resource access for a service account
In the management console you can only assign a role for the folder where the service account was created. To assign it a role for another resource, use the CLI or API.
To assign a role for the folder where the service account was created:
- Select a folder.
- Select the Service accounts tab.
- Click next to the service account and select Edit service account.
- Click Add role and select a role.
- Click Save.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id flag.
To assign the service account a role for a resource, run:
yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
--role <ROLE-ID> \
--subject serviceAccount:<SERVICE-ACCOUNT-ID>
where:
<SERVICE-NAME>is the name of the service that the resource belongs to (for example,resource-manager).<RESOURCE>is the resource category, for examplecloud.<RESOURCE-NAME>is the name of the resource. You can specify a resource by its name or identifier.<RESOURCE-ID>is the resource identifier.<ROLE-ID>is the identifier of the role (for example,resource-manager.clouds.owner).<SERVICE-ACCOUNT-ID>is the identifier of the service account assigned the role.
For example, to assign the viewer role to a service account for the folder my-folder:
-
Find out the service account ID by its name:
$ yc iam service-account get my-robot id: aje6o61dvog2h6g9a33s folder_id: b1gvmob95yysaplct532 created_at: "2018-10-15T18:01:25Z" name: my-robotIf you don't know the name of the service account, get a list of service accounts with their IDs:
$ yc iam service-account list +----------------------+------------------+-----------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-----------------+ | aje6o61dvog2h6g9a33s | my-robot | my description | +----------------------+------------------+-----------------+ -
Assign a role to the
my-robotservice account using its ID:$ yc resource-manager folder add-access-binding my-folder \ --role viewer \ --subject serviceAccount:aje6o61dvog2h6g9a33s
-
Get the ID of the folder with service accounts.
-
Get a list of folder service accounts to find out their IDs:
$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -H "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}" { "serviceAccounts": [ { "id": "ajebqtreob2dpblin8pe", "folderId": "b1gvmob95yysaplct532", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] } -
Create a request body, for example, in a
body.jsonfile. Set theactionproperty toADDand specify theserviceAccounttype and service account ID in thesubjectproperty:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "ajebqtreob2dpblin8pe", "type": "serviceAccount" } } } ] } -
Assign a role, say, for the folder with the
b1gvmob95yysaplct532ID:$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d @body.json \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
Access to a resource for all users
You can grant access to a resource to all Yandex.Cloud users. To do this, assign a role to the system group allAuthenticatedUsers.
For example, allow any authenticated user to view information about a folder and its resources:
Assign the viewer for the my-folder folder. Set the subject type to system and its ID to allAuthenticatedUsers:
$ yc resource-manager folder add-access-binding my-folder \
--role viewer \
--subject system:allAuthenticatedUsers
-
Create a request body, for example, in a
body.jsonfile. InroleId, assign theviewerrole. In thesubjectproperty, specify thesystemtype and theallAuthenticatedUsersID:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "viewer", "subject": { "id": "allAuthenticatedUsers", "type": "system" } } }] } -
Assign a role, say, for the folder with the
b1gvmob95yysaplct532ID:$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d @body.json \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"