Setting up folder access rights

To grant a user access to all the folder resources, assign them a role for that folder.

Assign a role for a folder

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click image, and choose Configure roles.

  3. Select a folder in the Roles in folders section and click image.
  4. Select a role from the list.
  1. See the description of the command to assign a role for a folder:

    $ yc resource-manager folder add-access-binding --help
    
  2. Select a folder (for example, my-folder):

    $ yc resource-manager folder list
    +----------------------+-----------+--------+--------+
    |          ID          |   NAME    | LABELS | STATUS |
    +----------------------+-----------+--------+--------+
    | b1gd129pp9ha0vnvf5g7 | my-folder |        | ACTIVE |
    +----------------------+-----------+--------+--------+
    
  3. Choose a role:

    $ yc iam role list
    +--------------------------------+-------------+
    |               ID               | DESCRIPTION |
    +--------------------------------+-------------+
    | admin                          |             |
    | compute.images.user            |             |
    | editor                         |             |
    | ...                            |             |
    +--------------------------------+-------------+
    
  4. Find out the user's ID from the login or email address. To assign a role to a service account or group of users rather than one user, see the examples below.

    $ yc iam user-account get test-user
    id: gfei8n54hmfhuk5nogse
    yandex_passport_user_account:
        login: test-user
        default_email: test-user@yandex.ru
    
  5. Assign the editor role for the my-robot folder to a user named test-user. In the subject, specify the userAccount type and user ID:

    $ yc resource-manager folder add-access-binding my-folder \
        --role editor \
        --subject userAccount:gfei8n54hmfhuk5nogse
    

Use the updateAccessBindings method for the Folder resource. You will need the folder ID and the ID of the user who is assigned the role for the folder.

  1. Find out the folder ID using the list method:

    $ curl -H "Authorization: Bearer <IAM-TOKEN>" \
        https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders?cloudId=b1gg8sgd16g7qca5onqs
    
    {
     "folders": [
      {
       "id": "b1g66mft1vopnevbn57j",
       "cloudId": "b1gd129pp9ha0vnvf5g7",
       "createdAt": "2018-10-17T12:44:31Z",
       "name": "my-folder",
       "status": "ACTIVE"
      }
     ]
    }
    
  2. Find out the user ID from the login using the getByLogin method:

    $ curl -H "Authorization: Bearer <IAM-TOKEN>" \
        https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user
    
    {
     "id": "gfei8n54hmfhuk5nogse",
     "yandexPassportUserAccount": {
      "login": "test-user",
      "defaultEmail": "test-user@yandex.ru"
     }
    }
    
  3. Assign the editor role for the my-folder folder to the user. Set the action property to ADD and specify the userAccount type and user ID in the subject property:

    $ curl -X POST \
        -H 'Content-Type: application/json' \
        -H "Authorization: Bearer <IAM-TOKEN>" \
        -d '{
        "accessBindingDeltas": [{
            "action": "ADD",
            "accessBinding": {
                "roleId": "editor",
                "subject": {
                    "id": "gfei8n54hmfhuk5nogse",
                    "type": "userAccount"
        }}}]}' \
        https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha0vnvf5g7:updateAccessBindings
    

Examples

Assign multiple roles

Follow the instructions at the beginning of the section and assign multiple roles to the user.

To assign a role to another user, select the user from the Users and roles tab and click Configure roles.

The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.

Warning

The set-access-binding command completely rewrites the access rights to the resource. All current resource roles will be deleted.

  1. Make sure the resource doesn't have any roles that you don't want to lose:

    $ yc resource-manager folder list-access-binding my-folder
    
  2. For example, assign a role to multiple users:

    $ yc resource-manager folder set-access-bindings my-folder \
        --access-binding role=editor,subject=userAccount:gfei8n54hmfhuk5nogse
        --access-binding role=viewer,subject=userAccount:helj89sfj80aj24nugsz
    

Assign the editor role to one user and the viewer role to another user:

$ curl -X POST \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer <IAM-TOKEN>" \
    -d '{
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "editor",
            "subject": {
                "id": "gfei8n54hmfhuk5nogse",
                "type": "userAccount"
            }
        }
    },{
        "action": "ADD",
        "accessBinding": {
            "roleId": "viewer",
            "subject": {
                "id": "helj89sfj80aj24nugsz",
                "type": "userAccount"
    }}}]}' \
    https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha0vnvf5g7:updateAccessBindings

You can also assign roles using the setAccessBindings method.

Warning

The setAccessBindings method completely rewrites the access rights to the resource! All current resource roles will be deleted.

curl -X POST \
    -H 'Content-Type: application/json' \
    -H "Authorization: Bearer <IAM-TOKEN>" \
    -d '{
    "accessBindings": [{
        "roleId": "editor",
        "subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" }
    },{
        "roleId": "viewer",
        "subject": { "id": "helj89sfj80aj24nugsz", "type": "userAccount" }
    }]}' \
    https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha0vnvf5g7:setAccessBindings

Folder access for a service account

In the management console, you can only assign a role for the folder where the service account was created. To assign it a role for another resource, use the CLI or API.

Allow the service account to manage the folder and its resources:

  1. Select a folder.
  2. Go to the Service accounts tab.
  3. Click image next to the service account and select Edit service account.
  4. Click Add role and select a role.
  5. Click Save.
  1. Find out the service account ID by its name:

    $ yc iam service-account get my-robot
    id: aje6o61dvog2h6g9a33s
    folder_id: b1gvmob95yysaplct532
    created_at: "2018-10-15T18:01:25Z"
    name: my-robot
    

    If you don't know the name of the service account, get a list of service accounts with their IDs:

    $ yc iam service-account list
    +----------------------+------------------+-----------------+
    |          ID          |       NAME       |   DESCRIPTION   |
    +----------------------+------------------+-----------------+
    | aje6o61dvog2h6g9a33s | my-robot         | my description  |
    +----------------------+------------------+-----------------+
    
  2. Assign a role to the my-robot service account using its ID:

    $ yc resource-manager folder add-access-binding my-folder \
        --role viewer \
        --subject serviceAccount:aje6o61dvog2h6g9a33s
    
  1. Get the ID of the folder with service accounts.

  2. Get a list of folder service accounts to find out their IDs:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -H "Authorization: Bearer ${IAM_TOKEN}" \
        "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
    
    {
     "serviceAccounts": [
      {
       "id": "ajebqtreob2dpblin8pe",
       "folderId": "b1gvmob95yysaplct532",
       "createdAt": "2018-10-18T13:42:40Z",
       "name": "my-robot",
       "description": "my description"
      }
     ]
    }
    
  3. Create a request body, for example, in a body.json file. Set the action property to ADD and specify the serviceAccount type and service account ID in the subject property:

    body.json:

    {
        "accessBindingDeltas": [{
            "action": "ADD",
            "accessBinding": {
                "roleId": "editor",
                "subject": {
                    "id": "ajebqtreob2dpblin8pe",
                    "type": "serviceAccount"
                    }
                }
            }
        ]
    }
    
  4. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d '@body.json' \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    

Access to a resource for all users

You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers or allUsers.

You can assign any role to the system group, except resource-manager.clouds.owner and resource-manager.clouds.member.

Warning

Do not assign a system group the editor or admin role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex.Cloud at your expense.

For example, allow any authenticated user to view information about a folder and its resources:

Assign the viewer for the my-folder folder. Set the subject type to system and its ID to allAuthenticatedUsers:

$ yc resource-manager folder add-access-binding my-folder \
    --role viewer \
    --subject system:allAuthenticatedUsers
  1. Create a request body, for example, in a body.json file. In roleId, assign the viewer role. In the subject property, specify the system type and the allAuthenticatedUsers ID:

    body.json:

    {
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "viewer",
            "subject": {
                "id": "allAuthenticatedUsers",
                "type": "system"
                }
            }
        }]
    }
    
  2. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

    $ export FOLDER_ID=b1gvmob95yysaplct532
    $ export IAM_TOKEN=CggaATEVAgA...
    $ curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d '@body.json' \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    

What's next