Getting started with IAM

In this guide, you will learn how to:

Before getting started

You must have the role of resource-manager.clouds.owner or admin for the cloud.

If you have no one to add to the cloud, you can create a new account on Yandex and grant access to the cloud to this account.

If you don't have a folder yet, create one:

  1. Click Create folder in the Home page of the management console.

  2. Enter the folder name.

    The name must be unique within the folder. The name may contain lowercase Latin letters, numbers, and hyphens. The first character must be a letter. The last character can't be a hyphen. The maximum length of the name is 63 characters.

  3. Select Create a default network. A network is created with subnets in each availability zone.

  4. Click Create folder.

Add a new user to the cloud

To grant another user access to your resources, add the user to your cloud:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. On the Users and roles page, click Add user in the upper-right corner.
  3. Enter the user's Yandex email address.
  4. Click Add.

When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.

This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.


To enable a user to work in the cloud through the management console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.

Assign the user a role for the cloud

To grant a user access to view resources in your cloud, assign them the viewer role:

  1. Select the user to assign the role to, click image, and choose Configure roles.

  2. In the Roles for the cloud click image.
  3. Choose the viewer role.

Assign a user a role for a folder

To allow a user to create resources in a folder, assign them the editor role for that folder:

  1. If you closed the window with role settings, open it again.
  2. Select a folder in the Roles in folders section and click image.
  3. Choose the editor role.

Revoke assigned roles

  1. If you closed the window with role settings, open it again.
  2. Click x next to each role you would like to revoke.


If the user doesn't have any more roles for your cloud, this user disappears from the list.

If you want to revoke all roles at once, delete the user from your cloud.

See also