Revoking a role for a resource

You can prevent the subject from accessing a resource. To do this, revoke the subject's roles for that resource or the resources that the access rights are inherited from. For more information, see How access management works in Yandex.Cloud.

Management console

CLI

API

In the management console, select the folder where you want to revoke a role for a resource.
In the list of services, select Container Registry.
Revoke a role for the resource.
- Revoking a role for a registry:
  1. To the right of the registry name, click and select Configure ACL.
  2. In the window that opens, expand the drop-down list in the row with the name of the user whose permissions you want to revoke.
  3. Deselect the role that you want to revoke.
    To revoke all the user's permissions, click Revoke.
  4. Click Save.
- Revoking a role for a repository:
  1. Select the desired registry.
  2. To the right of the desired repository name, click and select Configure ACL.
  3. In the window that opens, expand the drop-down list in the row with the name of the user whose permissions you want to revoke.
  4. Deselect the role that you want to revoke.
    To revoke all the user's permissions, click Revoke.
  5. Click Save.

If you don't have the Yandex.Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

View assigned roles:

yc <service name> <resource> list-access-bindings <resource name>|<resource ID>

Where:

<service name>: Name of a container service.
<resource>: Category of the resource (registry or repository).
<resource name>: Name of the resource that the role is assigned for. You can specify a resource by its name or ID.
<resource id>: ID of the resource that the role is assigned for.

Example. View the roles for the registry with the ID crp0pmf1n68dh715tf02:

yc container registry list-access-bindings crp0pmf1n68dh715tf02

Command execution result:

+--------------------------+--------------+----------------------+
|         ROLE ID          | SUBJECT TYPE |      SUBJECT ID      |
+--------------------------+--------------+----------------------+
| container-registry.admin | userAccount  | kolhpriseeioo9dc3v24 |
+--------------------------+--------------+----------------------+

Revoke the role:
```
yc <service name> <resource> remove-access-binding <resource name>|<resource ID> \
  --role <role ID> \
  --subject userAccount:<user ID>
```
Where:
- <service name>: Name of a container service.
- <resource>: Category of the resource (registry or repository).
- <resource name>: Name of the resource the role is revoked for. You can specify a resource by its name or ID.
- <resource id>: ID of the resource the role is revoked for.
- <role id>: ID of the role.
- <user id>: ID of the group, user, or service account that the role is revoked from.
Example. Revoke the role container-registry.admin for the registry with the ID crp0pmf1n68dh715tf02 from the user with the ID kolhpriseeioo9dc3v24:
```
yc container registry remove-access-binding crp0pmf1n68dh715tf02 \
 --role container-registry.admin \
 --subject userAccount:kolhpriseeioo9dc3v24
```

Use the method listAccessBindings to view the roles assigned for the resources registry and repository.

Use the method updateAccessBindings to revoke the role for the resources registry and repository.

Read more about role management in the documentation for Yandex Identity and Access Management.