Setting up access rights for a service account
This section describes how to assign a role for a service account as a resource. To assign the service account a role for another resource, follow the instructions in Assigning roles to a service account.
You can't set service account access rights via the management console. You can assign a role for a folder hosting the service account.
Assign a role to a service account
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the description of the command to assign a role for a service account as a resource:
$ yc iam service-account add-access-binding --help
-
Select a service account (for example,
my-robot
):$ yc iam service-account list +----------------------+----------+------------------+ | ID | NAME | DESCRIPTION | +----------------------+----------+------------------+ | ajebqtreob2dpblin8pe | test-sa | test-description | | aje6o61dvog2h6g9a33s | my-robot | | +----------------------+----------+------------------+
-
Choose a role:
$ yc iam role list +--------------------------------+-------------+ | ID | DESCRIPTION | +--------------------------------+-------------+ | admin | | | compute.images.user | | | editor | | | ... | | +--------------------------------+-------------+
-
Find out the user's ID from the login or email address. To assign a role to a service account or group of users rather than one user, see the examples below.
$ yc iam user-account get test-user id: gfei8n54hmfhuk5nogse yandex_passport_user_account: login: test-user default_email: test-user@yandex.ru
-
Assign a user named
test-user
theeditor
role for themy-robot
service account. In the subject, specify theuserAccount
type and user ID:$ yc iam service-account add-access-binding my-robot \ --role editor \ --subject userAccount:gfei8n54hmfhuk5nogse
Use the updateAccessBindings method for the ServiceAccount resource. You will need the service account ID and the ID of the user who is assigned the role for the service account.
-
Find out the service account ID using the list method:
$ curl -H "Authorization: Bearer <IAM-TOKEN>" \ https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yysaplct532 { "serviceAccounts": [ { "id": "aje6o61dvog2h6g9a33s", "folderId": "b1gvmob95yysaplct532", "createdAt": "2018-10-19T13:26:29Z", "name": "my-robot" } ... ] }
-
Find out the user ID from the login using the getByLogin method:
$ curl -H "Authorization: Bearer <IAM-TOKEN>" \ https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user { "id": "gfei8n54hmfhuk5nogse", "yandexPassportUserAccount": { "login": "test-user", "defaultEmail": "test-user@yandex.ru" } }
-
Assign the user the
editor
role for themy-robot
service account. Set theaction
property toADD
and specify theuserAccount
type and user ID in thesubject
property:$ curl -X POST \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer <IAM-TOKEN>" \ -d '{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "gfei8n54hmfhuk5nogse", "type": "userAccount" }}}]}' \ https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2h6g9a33s:updateAccessBindings
Examples
- Assign multiple roles
- Access from one service account to another service account
- Access to a resource for all users
Assign multiple roles
The add-access-binding
command allows you to add only one role. You can assign multiple roles using the set-access-binding
command.
Alert
The set-access-binding
command completely rewrites the access rights to the resource. All current resource roles will be deleted.
-
Make sure the resource doesn't have any roles that you don't want to lose:
$ yc iam service-account list-access-bindings my-robot
-
For example, assign a role to multiple users:
$ yc iam service-account set-access-bindings my-robot \ --access-binding role=editor,subject=userAccount:gfei8n54hmfhuk5nogse --access-binding role=viewer,subject=userAccount:helj89sfj80aj24nugsz
Assign the editor
role to one user and the viewer
role to another user:
$ curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "editor",
"subject": {
"id": "gfei8n54hmfhuk5nogse",
"type": "userAccount"
}
}
},{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "helj89sfj80aj24nugsz",
"type": "userAccount"
}}}]}' \
https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2h6g9a33s:updateAccessBindings
You can also assign roles using the setAccessBindings method.
Alert
The setAccessBindings
method completely rewrites the access rights to the resource! All current resource roles will be deleted.
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindings": [{
"roleId": "editor",
"subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" }
},{
"roleId": "viewer",
"subject": { "id": "helj89sfj80aj24nugsz", "type": "userAccount" }
}]}' \
https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2h6g9a33s:setAccessBindings
Access from one service account to another service account
Allow the test-sa
service account to manage the my-robot
service account:
-
Find out the ID of the
test-sa
service account that you want to assign the role to. To do this, get a list of available service accounts:$ yc iam service-account list +----------------------+----------+------------------+ | ID | NAME | DESCRIPTION | +----------------------+----------+------------------+ | ajebqtreob2dpblin8pe | test-sa | test-description | | aje6o61dvog2h6g9a33s | my-robot | | +----------------------+----------+------------------+
-
Assign the
editor
role to thetest-sa
service account by specifying its ID. In the subject type, specifyserviceAccount
:$ yc iam service-account add-access-binding my-robot \ --role editor \ --subject serviceAccount:ajebqtreob2dpblin8pe
-
Find out the ID of the
test-sa
service account that you want to assign the role to. To do this, get a list of available service accounts:$ curl -H "Authorization: Bearer <IAM-TOKEN>" \ https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yysaplct532 { "serviceAccounts": [ { "id": "ajebqtreob2dpblin8pe", "folderId": "b1gvmob95yysaplct532", "createdAt": "2018-10-18T13:42:40Z", "name": "test-sa", "description": "test-description" }, { "id": "aje6o61dvog2h6g9a33s", "folderId": "b1gvmob95yysaplct532", "createdAt": "2018-10-15T18:01:25Z", "name": "my-robot" } ] }
-
Assign the
test-sa
service account theeditor
role for anothermy-robot
service account. In thesubject
property, specify theserviceAccount
type and thetest-sa
ID. In the request URL, specify themy-robot
ID as a resource:
$ curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "editor",
"subject": {
"id": "ajebqtreob2dpblin8pe",
"type": "serviceAccount"
}}}]}' \
https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2h6g9a33s:updateAccessBindings
Access to a resource for all users
You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers
or allUsers
.
You can assign any role to the system group, except resource-manager.clouds.owner
and resource-manager.clouds.member
.
Alert
Do not assign a system group the editor
or admin
role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex.Cloud at your expense.
For example, allow any authenticated user to view information about the my-robot
service account:
Assign the viewer
role to the allAuthenticatedUsers
system group. In the subject type, specify system
:
$ yc iam service-account add-access-binding my-robot \
--role viewer \
--subject system:allAuthenticatedUsers
Assign the viewer
role to the allAuthenticatedUsers
system group. In the subject
property, specify the system
type:
$ curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "allAuthenticatedUsers",
"type": "system"
}}}]}' \
https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2h6g9a33s:updateAccessBindings