Access management

Yandex.Cloud users can only perform operations on resources that are allowed by the roles assigned to them. If the user has no roles assigned, all operations are forbidden.

To allow access to the Yandex Identity and Access Management service resources (service accounts and their access keys), assign appropriate roles to the user from the list below. You can assign a user a role for the service account, the folder hosting the account, or the entire cloud: access rights are inherited in Yandex Cloud.


For more information about role inheritance, see Access rights inheritance in the Yandex Resource Manager documentation.

Assigning roles

To assign a user a role for the cloud or folder:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click image, and choose Configure roles.

  3. To add a cloud role, click image in the Roles for cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Choose a role from the list.


The list below shows all roles that are considered when verifying access rights in the IAM service.

Service roles

Service roles are roles that allow access to the resources of a particular service. When checking IAM resource access rights, Resource Manager service roles are also taken into account.

Identity and Access Management


The iam.serviceAccounts.user role means that the user has the right to use service accounts. This role is necessary when the user asks the service to perform operations on behalf of a service account.

For example, when creating a group of virtual machines, you specify the service account and the IAM checks that you have permission to use this account.

The following permissions are included in the iam.serviceAccounts.user role:

  • Get a list of service accounts
  • Get information about a service account
  • Use the service account to perform operations on its behalf

These permissions are also included in the editor, admin, and roles.

Resource Manager


When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

This role must be assigned to everyone who needs to access cloud resources, except the owners of the cloud, service accounts, and system group allAuthenticatedUsers.

This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.


To enable a user to work in the cloud through the management console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.


The role of resource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role or remove it from them.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

Primitive roles

You can assign primitive roles to any resource in any service.


A user with the viewer can view information about resources, for example, get a list of access keys for a service account.


A user with the editor can manage any resources, for example, create a service account or its access keys.

In addition, the editor role includes all permissions of the viewer role.


A user with the admin can manage access rights to resources, for example, allow other users to view service accounts or view information about them.

In addition, the admin role includes all permissions of the role of editor.