Identity and access management

Yandex Cloud users can only apply those operations to resources that are allowed by their assigned roles. As long as the user has no roles assigned, no operations are allowed.

To allow access to the Yandex Identity and Access Management service resources (service accounts and their access keys), assign appropriate roles to the user from the list below. You can assign a user a role for the service account, the folder hosting the account, or the entire cloud: access rights are inherited in Yandex Cloud.


For more information about role inheritance, see Access rights inheritance in the Yandex Resource Manager service documentation.

Assign roles

To assign a user a role for the cloud or folder:

  1. In the management console, click and go to Access management.

  2. Select the tab Users and roles.

  3. In the line with the appropriate user name, click Configure roles.

  4. To add a role in a cloud, click Assign role in the Roles for the cloud section.

    To add a role for a folder, select the folder and click Assign role in the Roles for folders section.

  5. Select the desired role from the list. For more information about roles, see Roles in the documentation on the service Yandex Identity and Access Management.


Below is a list of all roles that are used for verifying access rights in the IAM service.

Service roles

Service roles are roles that allow access to the resources of a particular service. When resource access rights are checked, IAM service roles are taken into accountResource Manager.


When a new user is added to the cloud, they are automatically assigned the role of a cloud member: resource-manager.clouds.member.

This role is necessary for accessing cloud resources to everyone except the owners of the cloud and system group allAuthenticatedUsers.

This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.


To enable a user to work in the cloud through the Management Console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.


Role resource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operations with the cloud and the resources in it.

Only the cloud owner can assign to or remove from the users the role resource-manager.clouds.owner.

The cloud must have at least one owner. The only owner of the cloud cannot remove this role from oneself.

Common roles

You can assign common roles to any resource in any service.


A user with the role of viewer can view information about resources, for example, get a list of access keys for a service account.


A user with the role of editor can manage any resources, for example, create a service account or its access keys.

In addition, the role editor includes all permissions of the role viewer.


A user with the role of admin can manage access rights to resources, for example, allow other users to view service accounts or view information about them.

In addition, the role admin includes all permissions of the role of editor.