Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Cloud Functions
  • Comparison with other Yandex Cloud services
  • Getting started
    • Overview
    • Creating a function
      • Overview
      • Node.js
      • Python
      • Go
      • PHP
      • Bash
      • Java
    • Creating a trigger
      • Overview
      • Timer
      • Trigger for Message Queue
      • Trigger for Object Storage
      • Trigger for Container Registry
      • Trigger for Cloud Logs
      • Trigger for Cloud Logging
      • Trigger for Yandex IoT Core
      • Trigger for budgets
      • Trigger for Data Streams
  • Step-by-step instructions
    • All instructions
    • Using functions to get an IAM token for a service account
    • Connecting to managed databases from functions
    • Managing rights to access functions
    • Managing functions
      • Creating a function
      • Managing function versions
      • Working in the code editor
      • Invoking a function
      • Updating a function
      • Scaling a function
      • Function monitoring
      • Viewing the execution log
      • Deleting a function
    • Managing triggers
      • Getting information about a trigger
      • Creating a timer
      • Creating a trigger for Message Queue
      • Creating a trigger for Object Storage
      • Creating a trigger for Container Registry
      • Creating a trigger for Cloud Logs
      • Creating a trigger for Cloud Logging
      • Creating a trigger for Yandex IoT Core
      • Creating a trigger for budgets
      • Creating a trigger for Data Streams
      • Updating a trigger
      • Trigger monitoring
      • Deleting a trigger
  • Concepts
    • Overview
    • Function
    • Invoking a function
    • Runtime environment
      • Overview
      • Environment
      • Execution context
      • Preloaded runtime environment
    • Builder
    • Trigger
      • Overview
      • Timer
      • Trigger for Message Queue
      • Trigger for Object Storage
      • Trigger for Container Registry
      • Trigger for Cloud Logs
      • Trigger for Cloud Logging
      • Trigger for Yandex IoT Core
      • Trigger for budgets
      • Trigger for Data Streams
    • Dead Letter Queue
    • Log groups
    • Backups
    • Quotas and limits
  • Developing in Node.js
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in Python
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in Go
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in PHP
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
  • Developing in Bash
    • Overview
    • Request handler
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in Java
    • Overview
    • Programming model
      • Overview
      • Function interface
      • YcFunction interface
      • HttpServlet class
      • Spring Boot
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in R
    • Overview
    • Programming model
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
  • Developing in C#
    • Overview
    • Programming model
      • Overview
      • Function interface
      • YcFunction interface
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Practical guidelines
    • Creating skills for Alice
    • Deploying a web application
    • Developing a skill for Alice and a website with authorization
    • Writing data from a device to Managed Service for PostgreSQL
    • Developing a Slack bot
    • Developing a Telegram bot
    • Connecting to a YDB database from a Python function
    • Connecting to a YDB database from a function in Node.js
    • Converting a video to a GIF in Python
    • Building Node.js function using TypeScript
  • Pricing policy
  • Access management
  • API Functions reference
    • Authentication in the API
    • gRPC
      • Overview
      • FunctionService
      • OperationService
    • REST
      • Overview
      • Function
        • Overview
        • create
        • createVersion
        • delete
        • get
        • getVersion
        • getVersionByTag
        • list
        • listAccessBindings
        • listOperations
        • listRuntimes
        • listScalingPolicies
        • listTagHistory
        • listVersions
        • removeScalingPolicy
        • removeTag
        • setAccessBindings
        • setScalingPolicy
        • setTag
        • update
        • updateAccessBindings
  • API Triggers reference
    • Authentication in the API
    • gRPC
      • Overview
      • TriggerService
      • OperationService
    • REST
      • Overview
      • Trigger
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • pause
        • resume
        • update
  • Questions and answers
  1. Step-by-step instructions
  2. Managing rights to access functions

Managing rights to access functions

Written by
Yandex Cloud
  • Making a function public
  • Making a function private
  • Viewing roles assigned to a function
  • Assigning roles to a function
  • Revoking roles assigned to a function

You can make a function public or private, view roles assigned to a function, revoke them, or assign new roles.

Making a function public

To allow any user to invoke a function without passing an authorization header, make it public.

Management console
CLI
API
  1. In the management console, go to the folder where the function is located.
  2. Select Cloud Functions.
  3. Select the function you want to make public.
  4. On the Overview page, under General information, switch the Public function option to on.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To make a function public, run the command:

yc serverless function allow-unauthenticated-invoke <function name>

Result:

done (1s)    

You can make a function public using the setAccessBindings API method.

Making a function private

For a function to be invoked only by users with rights to invoke it, make the function private.

Note

If all unauthorized users (allUsers system group) of a cloud or folder are granted rights to invoke a function, the function will be public regardless of the settings. How to revoke a role.

Management console
CLI
  1. In the management console, go to the folder where the function is located.
  2. Select Cloud Functions.
  3. Select the function you want to make private.
  4. On the Overview page, under General information, switch the Public function option to off.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To make a function private, run the command:

yc serverless function deny-unauthenticated-invoke <function name>

Result:

done (1s)   

Viewing roles assigned to a function

CLI
API

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To view roles assigned to a function, run the command:

yc serverless function list-access-bindings <function name>

Result:

+------------------------------+--------------+-----------------------+
|           ROLE ID            | SUBJECT TYPE |       SUBJECT ID      |
+------------------------------+--------------+-----------------------+
| serverless.functions.invoker | system       | allAuthenticatedUsers |
+------------------------------+--------------+-----------------------+

You can view roles assigned to a function using the listAccessBindings API method.

Note

Roles assigned to a folder or cloud are automatically inherited by a function. However, they don't appear in the list of assigned roles. Learn more about viewing roles.

Assigning roles to a function

CLI
API

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign a role to a function, run the command:

  • User:

    yc serverless function add-access-binding \
      --id <function ID> \
      --user-account-id <user id> \
      --role <role>
    

    Result:

    done (1s)
    
  • Service account:

    yc serverless function add-access-binding \
      --id <function ID> \
      --service-account-id <service account ID> \
      --role <role>
    

    Result:

    done (1s)
    
  • All authorized users (allAuthenticatedUsers system group):

    yc serverless function add-access-binding \
      --id <function ID> \
      --all-authenticated-users \
      --role <role>
    

    Result:

    done (1s)
    

You can assign roles to a function using the setAccessBindings API method.

Revoking roles assigned to a function

CLI
API

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To revoke a role for a function, run the command:

  • User:

    yc serverless function remove-access-binding \
      --id <function ID> \
      --user-account-id <user id> \
      --role <role>
    

    Result:

    done (1s)
    
  • Service account:

    yc serverless function remove-access-binding \
      --id <function ID> \
      --service-account-id <service account ID> \
      --role <role>
    

    Result:

    done (1s)
    
  • All authorized users (allAuthenticatedUsers system group):

    yc serverless function remove-access-binding \
      --id <function ID> \
      --all-authenticated-users \
      --role <role>
    

    Result:

    done (1s)
    

You can revoke roles for a function using the updateAccessBindings API method.

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • Making a function public
  • Making a function private
  • Viewing roles assigned to a function
  • Assigning roles to a function
  • Revoking roles assigned to a function