Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Container Registry
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Authentication in Container Registry
    • Managing a Docker image
      • Getting information about available Docker images
      • Creating a Docker image
      • Pushing a Docker image to a registry
      • Pulling a Docker image from a registry
      • Deleting a Docker image from a registry
    • Managing Helm charts
      • Getting information about available Helm charts
      • Pushing a Helm chart to a registry
      • Pulling a Helm chart from a registry
      • Deleting a Helm chart from a registry
    • Managing a registry
      • Getting information about existing registries
      • Creating a registry
      • Updating a registry
      • Deleting a registry
    • Managing a repository
      • Getting information about existing repositories
      • Creating a repository
    • Managing Docker image lifecycle policies
      • Getting information about existing lifecycle policies
      • Creating a lifecycle policy
      • Updating a lifecycle policy
      • Performing lifecycle policy dry runs
      • Deleting a lifecycle policy
    • Scanning Docker images for vulnerabilities
    • Working with roles
      • Assigning a role
      • Viewing assigned roles
      • Revoking a role
  • Yandex Container Solution
  • Practical guidelines
    • All tutorials
    • Running a Docker image on a VM
    • Creating a trigger with Yandex Cloud Functions
    • Setting up automatic scanning of a Docker image
  • Concepts
    • Overview
    • Docker image
    • Docker volume
    • Registry
    • Repository
    • Docker image lifecycle policies
    • Vulnerability scanner
    • Yandex Cloud Functions trigger
    • Backups
    • Quotas and limits
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ImageService
      • LifecyclePolicyService
      • RegistryService
      • RepositoryService
      • ScannerService
      • OperationService
    • REST
      • Overview
      • Image
        • Overview
        • delete
        • get
        • list
      • LifecyclePolicy
        • Overview
        • create
        • delete
        • dryRun
        • get
        • getDryRunResult
        • list
        • listDryRunResultAffectedImages
        • listDryRunResults
        • update
      • Registry
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listIpPermission
        • setAccessBindings
        • setIpPermission
        • update
        • updateAccessBindings
        • updateIpPermission
      • Repository
        • Overview
        • delete
        • get
        • getByName
        • list
        • listAccessBindings
        • setAccessBindings
        • updateAccessBindings
        • upsert
      • Scanner
        • Overview
        • get
        • getLast
        • list
        • listVulnerabilities
        • scan
  • Troubleshooting
  • Questions and answers
  1. Step-by-step instructions
  2. Working with roles
  3. Revoking a role

Revoking a role for a resource

Written by
Yandex Cloud

    You can prevent a subject from accessing a resource. To do this, revoke the subject's roles for that resource or the resources that the access rights are inherited from. For more information, see How access management works in Yandex Cloud.

    Management console
    CLI
    API
    1. In the management console, select the folder where you wish to revoke a role for a resource.
    2. In the list of services, select Container Registry.
    3. Revoke a role for the resource.
      • Revoking a role for a registry:
        1. To the right of the registry name, click and select Configure ACL.

        2. In the window that opens, expand the drop-down list in the row with the name of the user whose permissions you want to revoke.

        3. Deselect the role that you want to revoke.

          To revoke all the user's permissions, click Revoke.

        4. Click Save.

      • Revoking a role for a repository:
        1. Select the desired registry.

        2. To the right of the repository name, click and select Configure ACL.

        3. In the window that opens, expand the drop-down list in the row with the name of the user whose permissions you want to revoke.

        4. Deselect the role that you want to revoke.

          To revoke all the user's permissions, click Revoke.

        5. Click Save.

    If you don't have the Yandex Cloud command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    1. View assigned roles:

      yc <service name> <resource> list-access-bindings <resource name>|<resource ID>
      

      Where:

      • <service name>: Name of a container service.
      • <resource>: Category of the resource (registry or repository).
      • <resource name>: Name of the resource that the role is assigned for. You can specify a resource by its name or ID.
      • <resource id>: ID of the resource that the role is assigned for.

      Example. View the roles for the registry with the ID crp0pmf1n68dh715tf02:

      yc container registry list-access-bindings crp0pmf1n68dh715tf02
      

      Result:

      +--------------------------+------------------+----------------------+
      |         ROLE ID          |   SUBJECT TYPE   |      SUBJECT ID      |
      +--------------------------+------------------+----------------------+
      | container-registry.admin | federatedAccount | kolhpriseeioo9dc3v24 |
      +--------------------------+------------------+----------------------+
      
    2. Revoke the role:

      yc <service name> <resource> remove-access-binding <resource name>|<resource ID> \
        --role <role ID> \
        --subject userAccount:<user ID>
      

      Where:

      • <service name>: Name of a container service.
      • <resource>: Category of the resource (registry or repository).
      • <resource name>: Name of the resource the role is revoked for. You can specify a resource by its name or ID.
      • <resource id>: ID of the resource the role is revoked for.
      • <role id>: ID of the role.
      • <user id>: ID of the group, user, or service account that the role is revoked from.

      Example. Revoke the role container-registry.admin for the registry with the ID crp0pmf1n68dh715tf02 from the user with the ID kolhpriseeioo9dc3v24:

      yc container registry remove-access-binding crp0pmf1n68dh715tf02 \
       --role container-registry.admin \
       --subject userAccount:kolhpriseeioo9dc3v24
      

    Use the method listAccessBindings to view the roles assigned for the resources registry and repository.

    Use the method updateAccessBindings to revoke the role for the resources registry and repository.

    Read more about role management in the Yandex Identity and Access Management documentation.

    Was the article helpful?

    Language / Region
    © 2022 Yandex.Cloud LLC