Identity and access management

This section lists the roles required for an account to perform operations with Object Storage resources. The following user categories can be granted access to Object Storage:

  • Users with a registered account in Yandex.Passport.
  • Service accounts Yandex Identity and Access Management.


Resource access rights are inherited from the cloud and folder.

Assigning roles

To manage buckets and objects, the user must have the appropriate permissions in the cloud and folders where operations will be performed.

To assign the required roles to the user:

  1. In the management console, click and go to Access management.

  2. Select the tab Users and roles.

  3. In the line with the appropriate user name, click Configure roles.

  4. To add a role in a cloud, click Assign role in the Roles for the cloud section.

    To add a role for a folder, select the folder and click Assign role in the Roles for folders section.

  5. Select the desired role from the list. For more information about roles, see Roles in the documentation on the service Yandex Identity and Access Management.

Permissions in Object Storage


When a new user is added to the cloud, they are automatically assigned the role of a cloud member: resource-manager.clouds.member.

This role is necessary for accessing cloud resources to everyone except the owners of the cloud and system group allAuthenticatedUsers.

This role alone does not give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.


To enable a user to work in the cloud through the Management Console, assign them the resource-manager.clouds.member and viewer roles for the cloud. If you assign only the cloud member role for the cloud and other roles for the nested resources, the user will only be able to perform resource operations using the API or CLI.


Role resource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operations with the cloud and the resources in it.

Only the cloud owner can assign to or remove from the users the role resource-manager.clouds.owner.

The cloud must have at least one owner. The only owner of the cloud cannot remove this role from oneself.


Users with the admin role can:

  • Perform any operations with buckets and objects in the folder: create, delete, and edit them.
  • Assign roles to other users.


Users with the editor role can perform any operations with buckets and objects in the folder: create, delete, and edit them.


Users with the viewer role can view lists of buckets and objects in the folder.