Revoke a role for a resource
If you want to prohibit a subject from accessing a resource, revoke the subject's roles for that resource or the resources that the access rights are inherited from. For more information, see How access management works in Yandex.Cloud.
Note
If you need to temporarily revoke all access rights from a user with a Yandex account, you can revoke just the resource-manager.clouds.member
role. Although the user keeps all the other roles, they can't perform any operations with the cloud resources. When you add the user to the cloud again, the access rights will already be configured.
Revoke a role
In the management console, you can only revoke a cloud or folder role:
-
Open the Access management page for the selected cloud. If necessary, switch to another cloud.
-
Select the user to assign the role to, click , and choose Configure roles.
- Click the x next to the role to remove it. In the Roles in the cloud
section, you can delete the roles assigned to the user in this cloud. In the Roles in folders section, you can delete folder roles assigned to the user.
To revoke a role from a subject, delete the corresponding access binding for the appropriate resource:
-
View roles and their assignees:
View the roles assigned for a resource:
$ yc <SERVICE-NAME> <RESOURCE> list-access-bindings <RESOURCE-NAME>|<RESOURCE-ID>
where:
<SERVICE-NAME>
is the name of the service that the resource belongs to (for example,resource-manager
).<RESOURCE>
is the category of the resource, such asfolder
.<RESOURCE-NAME>
is the name of the resource. You can specify a resource by its name or ID.<RESOURCE-ID>
is the resource ID.
For example, you can view what roles were assigned for the
default
folder and to whom:$ yc resource-manager folder list-access-bindings default +---------------------+----------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +---------------------+----------------+----------------------+ | editor | serviceAccount | ajepg0mjas06siuj5usm | | viewer | userAccount | aje6o61dvog2h6g9a33s | +---------------------+----------------+----------------------+
-
To delete an access binding, run:
yc <SERVICE-NAME> <RESOURCE> remove-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \ --role <ROLE-ID> \ --subject <SUBJECT-TYPE>:<SUBJECT-ID>
where:
<ROLE-ID>
is the ID of the role to revoke (such asresource-manager.clouds.owner
).<SUBJECT-TYPE>
is the type of subject to revoke the role from.<SUBJECT-ID>
is the subject ID.
For example, to revoke a role from a user with the ID
aje6o61dvog2h6g9a33s
:$ yc resource-manager folder remove-access-binding default \ --role viewer \ --subject userAccount:aje6o61dvog2h6g9a33s
To revoke a resource role from a subject, delete the corresponding access binding:
-
View what roles were assigned for resources and to whom using the
listAccessBindings
method. For example, to view the roles for the folderb1gvmob95yysaplct532
:$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings" { "accessBindings": [ { "subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" }, "roleId": "editor" } ] }
-
Create a request body, for example, in a
body.json
file. In the request body, specify which access binding to delete. For example, revoke theeditor
role from userajei8n54hmfhuk5nog0g
:body.json:
{ "accessBindingDeltas": [{ "action": "REMOVE", "accessBinding": { "roleId": "editor", "subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" } } } ] }
-
Revoke the role by deleting the specified access binding:
$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"