Access management

This section lists the roles required for an account to perform operations with Object Storage resources. The following user categories can be granted access to Object Storage:

  • Users with a registered account in Yandex.Passport.
  • Service accounts Yandex Identity and Access Management.


Resource access rights are inherited from the cloud and folder.

Assigning roles

To manage buckets and objects, the user must have the appropriate permissions in the cloud and folders where operations will be performed.

To assign the required roles to the user:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click image, and choose Configure roles.

  3. To add a cloud role, click image in the Roles for cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Choose a role from the list.

Permissions in Object Storage


When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.

This role alone doesn't give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.


Theresource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.


Users with the admin role can:

  • Perform any operations with buckets and objects in the folder: create, delete, and edit them.
  • Assign roles to other users.


Users with the editor role can perform any operations with buckets and objects in the folder: create, delete, and edit them.


Users with the viewer role can view lists of buckets and objects in the folder.