Access management

In this section, you'll learn:

About access management

All transactions in Yandex.Cloud are checked by the Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.

To grant permission to a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, service account, or system group. For more information, see How access management in Yandex.Cloud works.

What resources you can assign roles to.

As with other services, you can assign roles for clouds, folder, and service accounts. The roles assigned for clouds and folders also apply to nested resources.

What roles exist in the service

The diagram shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all viewer role permissions. A description of each role is given under the diagram.

image

Active roles in the service:

  • Service roles:
    • resource-manager.clouds.owner: Grants you full access to the cloud and the resources in it. You can only assign this role for a cloud.

    • resource-manager.clouds.member: The role needed to perform any operation in the cloud on behalf of a Yandex account. The role is assigned automatically when a user is added to the cloud. You can only assign this role for a cloud.

  • Primitive roles:
    • viewer: Only lets you view information about the resources.

    • editor: Lets you manage resources (create, edit, and delete).

    • admin: Lets you manage resources and access them.

What roles do I need

The table below lists the roles needed to perform a given action. You can always assign a role granting more permissions than the role specified. For example, you can assign editor instead of viewer.

Action Methods Required roles
View data
View information about any resource get, list, listOperations viewer for this resource
Manage load balancers
Create load balancers in a folder create editor for the folder and specified target groups
Update and delete load balancers update, delete editor for the load balancer and specified target groups
Attach and detach target groups attachTargetGroup, detachTargetGroup editor for the load balancer and specified target groups
Get states of target groups getTargetStates viewer for the load balancer and specified target groups
Add and remove listeners addListener, removeListener editor for the load balancer
Stop and start a load balancer stop, start editor for the load balancer
Manage target groups
Create target groups in a folder create editor for the folder and specified subnets
Update and delete target groups update, delete editor for the target group, load balancer, and specified subnets
Add and remove resources in a target group addTargets, removeTargets editor for the target group, load balancer, and specified subnets
Manage resource access
Assign a role, revoke a role, and view roles granted for the resource setAccessBindings, updateAccessBindings, listAccessBindings admin for the resource

What's next