Questions and answers about Identity and Access Management
What is the Yandex Identity and Access Management service used for?
The IAM service controls access to resources and provides functionality for setting up access rights. You determine who should have rights to a certain resource and what these rights are, while IAM grants access according to the assigned rights.
IAM allows you to:
- Invite new users to the cloud and delete them from it.
- Manage access rights to resources by assigning and revoking roles.
- Create service accounts, i.e., special accounts used for managing Yandex.Cloud resources via the API.
- Get an IAM token that is required for authorization via the API.
Other Yandex.Cloud services use the IAM API to provide you with more control over access to these services' resources. For example, Yandex Compute Cloud grants an additional role of
compute.images.user to control access to disk images.
How do I get started with IAM?
To start working with IAM, you need to register with Yandex.Cloud. After registration, you will be able to use the IAM features.
See Getting started with IAM to find out how to add a new user to your cloud and assign them a role.
How much does it cost to use IAM?
The IAM service can be used free of charge.
Logging in and accessing resources
How do I log in to the management console?
Go to the management console page.
If you are not logged in to your Yandex or Yandex.Connect account, click Log in. If you don't have an account yet, click Register. For more information, see the Yandex.Passport documentation.
How are access rights verified?
Before performing an operation with a resource, such as creating a VM, IAM checks whether the user has all necessary permissions. If the user does not have any of the permissions, the operation will not be performed and Yandex.Cloud will return an error. For more information, see the section How access management in Yandex.Cloud works.
What is a resource?
A resource is a Yandex.Cloud entity that you can perform operations with, such as creating, updating, viewing, or deleting it. Examples of resources: VMs, disks, service accounts, clouds, and folders. For more information, see the section Hierarchy of Yandex.Cloud resources of the Resource Manager service documentation.
What is access binding?
Access rights are set as a list of role-subject bindings. They are called access bindings. You can add or remove these bindings to control access rights to a resource. For more information, see Binding access rights.