Getting started with IAM

In this guide, you will learn how to:

Before getting started

You must have the role of resource-manager.clouds.owner or admin for the cloud.

If you have no one to add to the cloud, you can create a new account on Yandex and grant access to the cloud to this account.

If you don't have a folder yet, create one:

  1. In the management console, click Create folder.

  2. Enter the folder name.

    The name may contain lowercase Latin letters, numbers, and hyphens. The first character must be a letter. The last character can't be a hyphen. The length of the name must be from 3 to 63 characters.

  3. Click Create folder.

Add a new user to the cloud

To grant another user access to your resources, add the user to your cloud:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. On the Users and roles page, click Add user in the upper-right corner.
  3. Enter the user's Yandex email address.
  4. Click Add.

When a new user is added to the cloud, they are automatically assigned the role of a cloud member: resource-manager.clouds.member.

This role must be assigned to everyone who needs to access cloud resources, except the owners of the cloud, service accounts, and system group allAuthenticatedUsers.

This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

Important

To enable a user to work in the cloud through the management console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.

Assign a user a role for the cloud

To grant a user access to view resources in your cloud, assign the user the role of viewer:

  1. Open the Users and roles page.
  2. Select the user to assign the role to and click Configure roles.
  3. Click Assign role in the Roles for the cloud for section.
  4. Choose the role of viewer.

Assign a user a role for a folder

To allow a user to create resources in a folder, assign the user the role of editor for this folder:

  1. Open the Users and roles page.
  2. Select the user to assign the role to and click Configure roles.
  3. Select a folder in the Roles in folders section and click Assign role .
  4. Choose the role of editor.
  5. Click the Close button.

Revoke assigned roles

  1. Open the Users and roles page.
  2. Select the user you want to revoke roles from and click Configure roles.
  3. Click x next to each role you would like to revoke.
  4. Click the Close button.

Note

If the user doesn't have any more roles for your cloud, this user disappears from the list.

If you want to revoke all roles at once, delete the user from your cloud.