Access management

Yandex.Cloud users can only perform operations on resources that are permitted under the roles assigned to them. If the user has no roles assigned, all operations are forbidden.

To allow access to resources in Yandex Message Queue, assign the required roles to the user from the list below. For now, a role can only be assigned for a parent resource (folder or cloud), and roles are inherited by nested resources.


For more information about role inheritance, see the section Inheritance of access rights in the Resource Manager documentation.

Assigning roles

To manage message queues, the user must have the appropriate permissions in the cloud and folders where operations will be performed.

To grant the user permissions:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click image, and choose Configure roles.

  3. To add a cloud role, click image in the Roles for cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Choose a role from the list.


The list below shows all roles that are considered when verifying access rights in the YMQ service.


When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.

This role alone doesn't give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.


Theresource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.


Users with the viewer role can view lists of cloud message queues and messages.


Users with the editor role can perform any operations on message queues and messages.

The editor role also includes all viewer role permissions.


Users with the admin role can manage resource access rights, such as allowing other users to create message queues and messages or view their details.

The admin role also includes all editor role permissions.

See also

Hierarchy of Yandex.Cloud resources