Getting started with IAM

In this guide, you will learn how to:

Before getting started

You must have the role of resource-manager.clouds.owner or admin for the cloud.

If you have no one to add to the cloud, you can create a new account on Yandex and grant access to the cloud to this account.

If you don't have a folder yet, create one:

  1. On the management console home page, click Create folder.

  2. Enter the folder name.

    The name may contain lowercase Latin letters, numbers, and hyphens. The first character must be a letter. The last character can't be a hyphen. The length of the name must be from 3 to 63 characters.

  3. Click Create folder.

Add a new user to the cloud

To grant another user access to your resources, add the user to your cloud:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. On the Users and roles page, click Add user in the upper-right corner.
  3. Enter the user's Yandex email address.
  4. Click Add.

When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

This role must be assigned to everyone who needs to access cloud resources, except the owners of the cloud, service accounts, and system group allAuthenticatedUsers.

This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.


To enable a user to work in the cloud through the management console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.

Assign a user a role for the cloud

To grant a user access to view resources in your cloud, assign the user the role of viewer:

  1. Select the user to assign the role to, click image, and choose Configure roles.

  2. In the Roles for the cloud click image.
  3. Choose the role of viewer.

Assign a user a role for a folder

To allow a user to create resources in a folder, assign the user the role of editor for this folder:

  1. If you have closed the window with the role settings, open it again.
  2. Select a folder in the Roles in folders section and click image.
  3. Choose the role of editor.

Revoke assigned roles

  1. If you have closed the window with the role settings, open it again.
  2. Click x next to each role you would like to revoke.


If the user doesn't have any more roles for your cloud, this user disappears from the list.

If you want to revoke all roles at once, delete the user from your cloud.