Assigning roles to a service account

    This section describes how to assign a role to a service account for a resource. To assign another user a role to a service account like to a resource, follow the instructions in Setting up access rights for a service account.

    In the management console, you can only assign a role for the folder where the service account was created. To assign it a role for another resource, use the CLI or API.

    To assign a role for the folder where the service account was created:

    1. Select a folder.
    2. Go to the Service accounts tab.
    3. Click image next to the service account and select Edit service account.
    4. Click Add role and select a role.
    5. Click Save.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    To assign the service account a role for a resource, run:

    yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
        --role <ROLE-ID> \
        --subject serviceAccount:<SERVICE-ACCOUNT-ID>
    

    where:

    • <SERVICE-NAME> is the name of the service that the resource belongs to (for example, resource-manager).
    • <RESOURCE> is the resource category, for example cloud.
    • <RESOURCE-NAME> is the name of the resource. You can specify a resource by its name or ID.
    • <RESOURCE-ID> is the resource ID.
    • <ROLE-ID> is the role ID, for example resource-manager.clouds.owner.
    • <SERVICE-ACCOUNT-ID> is the identifier of the service account assigned the role.

    For example, to assign the viewer role to a service account for the folder my-folder:

    1. Find out the service account ID by its name:

      $ yc iam service-account get my-robot
      id: aje6o61dvog2h6g9a33s
      folder_id: b1gvmob95yysaplct532
      created_at: "2018-10-15T18:01:25Z"
      name: my-robot
      

      If you don't know the name of the service account, get a list of service accounts with their IDs:

      $ yc iam service-account list
      +----------------------+------------------+-----------------+
      |          ID          |       NAME       |   DESCRIPTION   |
      +----------------------+------------------+-----------------+
      | aje6o61dvog2h6g9a33s | my-robot         | my description  |
      +----------------------+------------------+-----------------+
      
    2. Assign a role to the my-robot service account using its ID:

      $ yc resource-manager folder add-access-binding my-folder \
          --role viewer \
          --subject serviceAccount:aje6o61dvog2h6g9a33s
      
    1. Get the ID of the folder with service accounts.

    2. Get a list of folder service accounts to find out their IDs:

      $ export FOLDER_ID=b1gvmob95yysaplct532
      $ export IAM_TOKEN=CggaATEVAgA...
      $ curl -H "Authorization: Bearer ${IAM_TOKEN}" \
          "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
      
      {
       "serviceAccounts": [
        {
         "id": "ajebqtreob2dpblin8pe",
         "folderId": "b1gvmob95yysaplct532",
         "createdAt": "2018-10-18T13:42:40Z",
         "name": "my-robot",
         "description": "my description"
        }
       ]
      }
      
    3. Create a request body, for example, in a body.json file. Set the action property to ADD and specify the serviceAccount type and service account ID in the subject property:

      body.json:

      {
          "accessBindingDeltas": [{
              "action": "ADD",
              "accessBinding": {
                  "roleId": "editor",
                  "subject": {
                      "id": "ajebqtreob2dpblin8pe",
                      "type": "serviceAccount"
                      }
                  }
              }
          ]
      }
      
    4. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

      $ export FOLDER_ID=b1gvmob95yysaplct532
      $ export IAM_TOKEN=CggaATEVAgA...
      $ curl -X POST \
          -H "Content-Type: application/json" \
          -H "Authorization: Bearer ${IAM_TOKEN}" \
          -d '@body.json' \
          "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
      

    What's next