Set service account access rights

This section describes how to assign a role for a service account as a resource. To assign a role for another resource to the service account, follow the instructions Assign role to service account.

You can't set service account access rights via the management console. You can assign a role for a folder hosting the service account.

CLI

API

Assign the user (subject) a role for the service account in your default folder:

yc iam service-account add-access-binding <SERVICE-ACCOUNT-NAME>|<SERVICE-ACCOUNT-ID> \
    --role <ROLE-ID> \
    --subject <SUBJECT-TYPE>:<SUBJECT-ID>

where:

<SERVICE-ACCOUNT-NAME> is the name of the service account the subject is assigned a role for. You can enter a service account by its name or identifier.
<SERVICE-ACCOUNT-ID> is the service account identifier.
<ROLE-ID> is the identifier of the role (for example, resource-manager.clouds.owner).
<SUBJECT-TYPE> is the type of the subject: system, userAccount or serviceAccount. For more information about subjects, see Yandex Cloud users.
<SUBJECT-ID> is the identifier of the subject assigned the role.

For example, assign a user the editor role for the myrobot service account:

yc iam service-account add-access-binding myrobot \
    --role editor \
    --subject userAccount:ajeptmgeb3f2q56bifci

If the service account belongs to a different folder, you can specify the folder using the --folder-id or folder-name flags:

yc iam service-account add-access-binding myrobot \
    --role editor \
    --subject userAccount:ajeptmgeb3f2q56bifci \
    --folder-name yet-another-folder

To assign a role for the service account, use the SetAccessBindings method for the ServiceAccount resource.