Hierarchy of Yandex.Cloud resources

When you get access to Yandex.Cloud, you are allocated a separate workspace: a cloud. This is where you will create folders.

Folders contain resources such as virtual machines, disks, and others. When you create a resource, you specify a folder where it is created. Nested folders are not supported for now.

Resource Manager provides the standard resource model shown in the following image. This model is used in most of the Yandex.Cloud services.


All resources inside the cloud are isolated from outside users by default. The cloud owner can manage access rights for the cloud and its resources.

Resource access rights are inherited within the cloud. Rights to access the cloud apply to all resources within the cloud. Folder access rights apply to all resources in the folder. For more information, see Inheritance of access rights.

Some types of resources are not created in folders, so they have a separate logic for verifying access rights. For example, when a user manages access keys for a service account, the rights to access this service account are verified.

Clouds as a Yandex.Cloud resource

A cloud is an isolated space where folders are created.

When a resource is created within the cloud, no one except the cloud members and owners may access the resource.

Cloud owner

When a cloud is created, an owner is assigned to it. The cloud owner is the user assigned the resource-manager.clouds.owner role for this cloud.

The owner can perform any operation with the cloud and its resources.

The owner can grant access to the cloud to other users: assign roles or revoke them. For example, the owner can appoint other cloud owners or denounce their owner role.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

Cloud member

The cloud member is a user assigned the resource-manager.clouds.member role for this cloud.

The user needs the cloud member role to perform operations with cloud resources, except for resources that allow public access.

For example, if a cloud member is assigned the editor role for a folder inside the cloud, such user can create resources in that folder. If the cloud member role is revoked for a user, the user can no longer perform any operations.

The resource-manager.clouds.member role itself doesn't grant any rights to handle resources. This role is used in combination with other roles.


The resource-manager.clouds.member role isn't necessary for cloud owners and service accounts.

Public access to the cloud

You can make your cloud (and any of its resources) public by assigning a role to the system group. Then to access a resource, you don't have to be a cloud member. You just need to know the resource ID. Learn more about system groups.

Folders as a Yandex.Cloud resource

A folder is an isolated space where Yandex.Cloud resources are created and grouped.

Just like folders in your file system, folders in Yandex.Cloud make resource management easier for you. You can group your resources into folders by the resource type, project, department that uses those resources, or any other criteria of your choice.

You can manage access rights for all resources in the folder at once. Let's say your company has employees working with virtual machines only. You can create a folder containing virtual machines only and grant employees access to this folder.

You can view the contents of the folder in the management console. To find out which folder hosts a given resource, use the API or CLI Get method for this resource (the get command in the CLI).

Inheritance of access rights

When a user (subject) performs an operation with a resource, Yandex Identity and Access Management (IAM) service checks whether the user has the applicable access rights for this resource.

Rights to access resources inside the cloud are inherited based on the following hierarchy: Cloud → Folder → Resource.

For example: in the mycloud cloud, the robots folder contains the Alice and Bob service accounts.

If a mycloud user is assigned the resource-manager.clouds.member and viewer roles, the user can list all the folders in the cloud and view their contents.

If a user is assigned the editor role for Alice, the user can manage Alice, but not Bob.

If a user is assigned the admin role for the robots folder, this user gets administrator permission to manage this folder and all its resources, including Alice and Bob.

You can't assign roles for some resources because all their permissions are inherited from the folder. For example, currently you can't assign a role for a virtual machine. When someone tries to obtain information about the virtual machine, IAM checks their access rights for the folder hosting this virtual machine. If access rights have not been set for the folder, IAM checks that the subject has the applicable access rights for this cloud.

See also