Setting up cloud access rights
To grant a user access to all the cloud resources, assign them a role for that cloud.
Assign a role for the cloud
-
Open the Access management page for the selected cloud. If necessary, switch to another cloud.
-
Select the user to assign the role to, click
, and choose Configure roles. - Click the
in the Roles for the cloud section. - Select a role from the list.
-
See the description of the command to assign a role for a cloud:
$ yc resource-manager cloud add-access-binding --help -
Select a cloud (for example,
my-cloud):$ yc resource-manager cloud list +----------------------+----------+ | ID | NAME | +----------------------+----------+ | b1gg8sgd16g7qca5onqs | my-cloud | +----------------------+----------+ -
Choose a role:
$ yc iam role list +--------------------------------+-------------+ | ID | DESCRIPTION | +--------------------------------+-------------+ | admin | | | compute.images.user | | | editor | | | ... | | +--------------------------------+-------------+ -
Find out the user's ID from the login or email address. To assign a role to a service account or system group instead of a user, see the examples below.
$ yc iam user-account get test-user id: gfei8n54hmfhuk5nogse yandex_passport_user_account: login: test-user default_email: test-user@yandex.ru -
Assign the
editorrole for themy-cloudcloud to a user namedtest-user. In the subject, specify theuserAccounttype and user ID:$ yc resource-manager cloud add-access-binding my-cloud \ --role editor \ --subject userAccount:gfei8n54hmfhuk5nogse
Use the updateAccessBindings method for the Cloud resource. You will need the cloud ID and the ID of the user who is assigned the role for the cloud.
-
Find out the cloud ID using the list method:
$ curl -H "Authorization: Bearer <IAM-TOKEN>" \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds { "clouds": [ { "id": "b1gg8sgd16g7qca5onqs", "createdAt": "2018-09-23T12:14:45Z", "name": "cloud-b1gg8sgd16g7qc" } ] } -
Find out the user ID from the login using the getByLogin method:
$ curl -H "Authorization: Bearer <IAM-TOKEN>" \ https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user { "id": "gfei8n54hmfhuk5nogse", "yandexPassportUserAccount": { "login": "test-user", "defaultEmail": "test-user@yandex.ru" } } -
Assign the user the
editorrole for themy-cloudcloud. Set theactionproperty toADDand specify theuserAccounttype and user ID in thesubjectproperty:$ curl -X POST \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer <IAM-TOKEN>" \ -d '{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "gfei8n54hmfhuk5nogse", "type": "userAccount" }}}]}' \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings
Examples
Assign multiple roles
The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.
Alert
The set-access-binding command completely rewrites the access rights to the resource. All current resource roles will be deleted.
-
Make sure the resource doesn't have any roles that you don't want to lose:
$ yc resource-manager cloud list-access-binding my-cloud -
For example, assign a role to multiple users:
$ yc resource-manager cloud set-access-bindings my-cloud \ --access-binding role=editor,subject=userAccount:gfei8n54hmfhuk5nogse --access-binding role=viewer,subject=userAccount:helj89sfj80aj24nugsz
Assign the editor role to one user and the viewer role to another user:
$ curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "editor",
"subject": {
"id": "gfei8n54hmfhuk5nogse",
"type": "userAccount"
}
}
},{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "helj89sfj80aj24nugsz",
"type": "userAccount"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings
You can also assign roles using the setAccessBindings method.
Alert
The setAccessBindings method completely rewrites the access rights to the resource! All current resource roles will be deleted.
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindings": [{
"roleId": "editor",
"subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" }
},{
"roleId": "viewer",
"subject": { "id": "helj89sfj80aj24nugsz", "type": "userAccount" }
}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:setAccessBindings
Cloud access for service accounts
A service account can only be assigned roles for the cloud that it belongs to.
Allow the test-sa service account to manage the my-cloud cloud and its resources:
-
Find out the ID of the
test-saservice account that you want to assign the role to. To do this, get a list of available service accounts:$ yc iam service-account list +----------------------+----------+------------------+ | ID | NAME | DESCRIPTION | +----------------------+----------+------------------+ | ajebqtreob2dpblin8pe | test-sa | test-description | +----------------------+----------+------------------+ -
Assign the
editorrole to thetest-saservice account by specifying its ID. In the subject type, specifyserviceAccount:$ yc resource-manager cloud add-access-binding my-cloud \ --role editor \ --subject serviceAccount:ajebqtreob2dpblin8pe
-
Find out the ID of the
test-saservice account that you want to assign the role to. To do this, get a list of available service accounts:$ curl -H "Authorization: Bearer <IAM-TOKEN>" \ https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yysaplct532 { "serviceAccounts": [ { "id": "ajebqtreob2dpblin8pe", "folderId": "b1gvmob95yysaplct532", "createdAt": "2018-10-18T13:42:40Z", "name": "test-sa", "description": "test-description" } ] } -
Assign the
editorrole for themy-cloudcloud to thetest-saservice account. In thesubjectproperty, specify theserviceAccounttype and thetest-saID. In the request URL, specify themy-cloudID:
$ curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "editor",
"subject": {
"id": "ajebqtreob2dpblin8pe",
"type": "serviceAccount"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings
Access to a resource for all users
You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers or allUsers.
You can assign any role to the system group, except resource-manager.clouds.owner and resource-manager.clouds.member.
Alert
Do not assign a system group the editor or admin role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex.Cloud at your expense.
For instance, allow any authenticated user to view information about the my-cloud cloud and its resources:
Assign the viewer role to the allAuthenticatedUsers system group. In the subject type, specify system:
$ yc resource-manager cloud add-access-binding my-cloud \
--role viewer \
--subject system:allAuthenticatedUsers
Assign the viewer role to the allAuthenticatedUsers system group. In the subject property, specify the system type:
$ curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM-TOKEN>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "allAuthenticatedUsers",
"type": "system"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7qca5onqs:updateAccessBindings