Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for a service account
      • Creating static access keys
      • Getting the service account ID
      • Deleting service accounts
    • Identity federations
      • Authentication using Active Directory
      • Authentication using G Suite
      • Authentication using an identity federation
      • Adding users
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • SAML-compatible identity federations
    • Quotas and limits
  • How to use Yandex.Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • Federation
        • Overview
        • update
        • list
        • listUserAccounts
        • get
        • delete
        • addUserAccounts
        • create
        • listOperations
      • Certificate
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
      • AccessKey
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on the same page
  1. Step-by-step instructions
  2. Users
  3. Adding users

Adding a user to a cloud

  • Add a user with a Yandex account
  • Add federated users

To add users to the cloud, you need the admin or resource-manager.clouds.owner role for that cloud.

You can add users with a Yandex account and federated users.

Add a user with a Yandex account

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. On the Users and roles page, click Add user in the upper-right corner.
  3. Enter the user's Yandex email address.
  4. Click Add.

Note

To better safeguard your resources from unauthorized access, we recommend enabling two-factor authentication in Yandex.Passport. Use this method to secure your own account and ask every user you add to your cloud to enable two-factor authentication as well.

Add federated users

To add federated users, you need to know the users' Name IDs returned by the Identity Provider (IdP) server with the successful authentication response. This is usually the user's primary email address. If you don't know what the server returns as the Name ID, contact the administrator who configured authentication for your federation.

Management console
CLI
API

To add identity federation users to the cloud:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Click the arrow next to the Add user button.
  3. Select Add federated users.
  4. Select the identity federation to add users from.
  5. List the Name IDs of users, separating them with line breaks.

If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View a description of the add user command:

    $ yc iam federation add-user-accounts --help
    
  2. Add users by listing their Name IDs separated by a comma:

    $ yc iam federation add-user-accounts --name my-federation \
      --name-ids=alice@example.com,bob@example.com,charlie@example.com
    

To add identity federation users to the cloud:

  1. Create a file with the request body (for example, body.json). In the request body, specify the array of Name IDs of users you want to add:

    {
      "nameIds": [
        "alice@example.com",
        "bob@example.com",
        "charlie@example.com"
      ]
    }
    
  2. Send the request by specifying the Federation ID in the parameters:

    $ curl -X POST \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer <IAM token>" \
      -d '@body.json' \
      https://iam.api.cloud.yandex.net/iam/v1/saml/federations/<federation ID>:addUserAccounts
    

What's next

  • Assign roles to the added users.
In this article:
  • Add a user with a Yandex account
  • Add federated users
Language
Careers
Privacy policy
Terms of use
© 2021 Yandex.Cloud LLC