Access management in Virtual Private Cloud
Virtual Private Cloud uses roles to manage access rights.
In this section, you will learn:
- Which resources you can assign a role for.
- Which roles exist in the service.
- Which roles are required for particular actions.
About access management
In Yandex Cloud, all transactions are checked in Yandex Identity and Access Management. If a subject does not have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Which resources you can assign a role for
As with other services, you can assign roles for clouds, folder and service accounts. The roles assigned for clouds and folders also apply to nested resources.
Which roles exist in the service
The chart below shows which roles are available in the service and how they inherit each other's permissions. For example, the editor
role includes all the permissions of viewer
. You can find the description of each role under the chart.
Service roles
vpc.auditor
The vpc.auditor
roles allows you to view service metadata, including information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.
- Get a list of cloud networks and view information on them.
- Get a list of subnets and view information on them.
- Get a list of cloud resource addresses and view information on them.
- Get a list of route tables and view information on them.
- Get a list of security groups and view information on them.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
vpc.viewer
The vpc.viewer
role allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on the quotas and resource operations.
- Get a list of cloud networks and view information on them.
- Get a list of subnets and view information on them.
- Get a list of cloud resource addresses and view information on them.
- Get a list of route tables and view information on them.
- Get a list of security groups and view information on them.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.auditor
permissions.
vpc.user
The vpc.user
role allows you to use cloud networks, subnets, route tables, gateways, security groups, and IP addresses, get information on these resources, as well as on the quotas and resource operations.
- View information on cloud networks and use them.
- View information on subnets and use them.
- View information on cloud resource addresses and use them.
- View information on route tables and use them.
- View information on security groups and use them.
- View information on NAT gateways and connect them to route tables.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
vpc.externalAddresses.user
The vpc.externalAddresses.user
role allows you to view the list of private and public addresses of the cloud resources; it also enables viewing info on such addresses, using them, and managing the external network connectivity.
vpc.admin
The vpc.admin
role allows you to manage cloud networks, subnets, route tables, NAT gateways, security groups, internal and public IP addresses, as well as external network connectivity.
- View information on cloud networks, as well as create, modify, and delete them.
- Configure external access to cloud networks.
- Manage connectivity of multiple cloud networks.
- Manage multi-interface instances that provide connectivity between multiple networks.
- View information on subnets, as well as create, modify, and delete them.
- View information on route tables, as well as create, modify, and delete them.
- Link route tables to subnets.
- View information on NAT gateways, as well as create, modify, and delete them.
- Connect NAT gateways to route tables.
- View information on security groups, as well as create, modify, and delete them.
- Create and delete default security groups in cloud networks.
- Create and delete security group rules, as well as edit their metadata.
- Configure DHCP in subnets.
- View information on cloud resource addresses, as well as create, update, and delete internal and public IP addresses.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.privateAdmin
, vpc.publicAdmin
, and vpc.securityGroups.admin
permissions.
vpc.bridgeAdmin
The vpc.bridgeAdmin
role allows you to use subnets and manage connectivity of multiple cloud networks. This role also allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.
- Manage connectivity of multiple cloud networks.
- View information on subnets and use them.
- Get a list of cloud networks and view information on them.
- Get a list of cloud resource addresses and view information on them.
- Get a list of route tables and view information on them.
- Get a list of security groups and view information on them.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
vpc.privateAdmin
The vpc.privateAdmin
role allows you to manage cloud networks, subnets, and route tables, as well as view information on the quotas, resources, and resource operations. This role also allows you to manage connectivity within Yandex Cloud, while it does not allow doing so from the internet.
- View information on cloud networks, as well as create, modify, and delete them.
- View information on subnets, as well as create, modify, and delete them.
- View information on route tables, as well as create, modify, and delete them.
- Link route tables to subnets.
- View information on security groups and create default security groups in cloud networks.
- Configure DHCP in subnets.
- View information on cloud resource addresses, as well as create internal IP addresses.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
vpc.publicAdmin
The vpc.publicAdmin
role allows you to manage NAT gateways, public IP addresses, and external network connectivity, as well as view information on the quotas, resources, and resource operations. This role grants administrator privileges for multi-interface instances that provide connectivity between multiple networks.
- View information on cloud networks and configure external access to them.
- Manage connectivity of multiple cloud networks.
- Manage multi-interface instances that provide connectivity between multiple networks.
- View information on subnets and modify them.
- View information on NAT gateways, as well as create, modify, and delete them.
- Connect NAT gateways to route tables.
- View information on cloud resource addresses, as well as create, update, and delete public IP addresses.
- View information on route tables, as well as link route tables to subnets.
- View information on security groups.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
You can assign a role for a cloud or folder. Important: If a network and subnet are in different folders, the vpc.publicAdmin
role is checked for the folder where the network is located.
vpc.gateways.viewer
The vpc.gateways.viewer
role allows you to view information on NAT gateways.
vpc.gateways.user
The vpc.gateways.user
role allows you to view information on NAT gateways and connect them to route tables.
vpc.gateways.editor
The vpc.gateways.editor
role allows you to create, modify, and delete NAT gateways, as well as connect them to route tables.
vpc.securityGroups.user
The vpc.securityGroups.user
role allows you to assign security groups to network interfaces and view information on the resources, quotas, and resource operations.
- Assign security groups to instance network interfaces.
- Get a list of cloud networks and view information on them.
- Get a list of subnets and view information on them.
- Get a list of cloud resource addresses and view information on them.
- Get a list of route tables and view information on them.
- Get a list of security groups and view information on them.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
vpc.securityGroups.admin
The vpc.securityGroups.admin
role allows you to manage security groups and view information on the resources, quotas, and resource operations.
- View information on security groups, as well as create, modify, and delete them.
- Create and delete default security groups in cloud networks.
- Create and delete security group rules, as well as edit their metadata.
- Get a list of cloud networks and view information on them.
- Get a list of subnets and view information on them.
- Get a list of cloud resource addresses and view information on them.
- Get a list of route tables and view information on them.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
Primitive roles
auditor
Grants permission to view service configuration and metadata without access to data.
viewer
Enables you to view information about resources.
editor
Allows managing (creating, editing, and deleting) resources.
admin
Allows you to manage your resources and access to them.
For more information about primitive roles, see the Yandex Cloud role reference.
What roles do I need
The table below lists the roles needed to perform a particular action. You can always assign a role granting more permissions than the role specified. For example, assign editor
instead of viewer
or vpc.admin
instead of vpc.publicAdmin
.
Action | Methods | Required roles |
---|---|---|
View data | ||
View information about any resource | get , list , listOperations |
vpc.viewer or viewer for this resource |
List subnets in the network | listSubnets |
vpc.viewer or viewer for the network |
Use of resources | ||
Assign VPC resources to other Yandex Cloud resources (for example, assigning an address to an interface or connecting a network interface to a subnet) | Various | vpc.user for the resource and the right to change the receiving object if the resource assignment operation is mutating |
Assign or delete the public address of an interface | various | vpc.publicAdmin for the network |
Creating a VM connected to multiple networks | create |
vpc.publicAdmin for each network the VM is connecting to |
Manage resources | ||
Create networks in a folder | create |
vpc.privateAdmin or editor for the folder |
Update, and delete networks | update , delete |
vpc.privateAdmin or editor for the network |
Create subnets in a folder | create |
vpc.privateAdmin or editor for the folder and network |
Update and delete subnets | update , delete |
vpc.privateAdmin or editor for the folder |
Create a route table | create |
vpc.privateAdmin or editor for the folder |
Update or delete a route table | update , delete |
vpc.privateAdmin or editor for the route table |
Create public addresses | create |
vpc.publicAdmin or editor for the folder |
Delete public addresses | delete |
vpc.publicAdmin or editor for the address |
Create a gateway | create |
vpc.gateways.editor |
Enable the gateway in a route table | create , update |
vpc.gateways.user |
Create security groups | create |
vpc.securityGroups.admin or editor for the folder and network |
Update and delete security groups | update , delete |
vpc.securityGroups.admin or editor for the network and security group |
Manage resource access | ||
Grant a role, revoke a role, and view roles granted for the resource | setAccessBindings , updateAccessBindings , listAccessBindings |
admin for the resource |
To create a NAT gateway and connect it to a route table, you must be assigned the vpc.gateways.editor
and vpc.gateways.user
roles. Currently, you cannot use reserved public IP addresses for gateways, so the vpc.admin
role is not enough.