Managing rights to access functions
You can make a function public or private, view roles assigned to a function, revoke them, or assign new roles.
Making a function public
To allow any user to invoke a function without passing an authorization header, make it public.
- In the management console, go to the folder where the function is located.
- Select Cloud Functions.
- Select the function you want to make public.
- On the Overview page, under General information, switch the Public function option to on.
If you don't have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To make a function public, run the command:
yc serverless function allow-unauthenticated-invoke <function name>
Result:
done (1s)
You can make a function public using the setAccessBindings API method.
Making a function private
For a function to be invoked only by users with rights to invoke it, make the function private.
Note
If all unauthorized users (allUsers
system group) of a cloud or folder are granted rights to invoke a function, the function will be public regardless of the settings. How to revoke a role.
- In the management console, go to the folder where the function is located.
- Select Cloud Functions.
- Select the function you want to make private.
- On the Overview page, under General information, switch the Public function option to off.
If you don't have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To make a function private, run the command:
yc serverless function deny-unauthenticated-invoke <function name>
Result:
done (1s)
Viewing roles assigned to a function
If you don't have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To view roles assigned to a function, run the command:
yc serverless function list-access-bindings <function name>
Result:
+------------------------------+--------------+-----------------------+
| ROLE ID | SUBJECT TYPE | SUBJECT ID |
+------------------------------+--------------+-----------------------+
| serverless.functions.invoker | system | allAuthenticatedUsers |
+------------------------------+--------------+-----------------------+
You can view roles assigned to a function using the listAccessBindings API method.
Note
Roles assigned to a folder or cloud are automatically inherited by a function. However, they don't appear in the list of assigned roles. Learn more about viewing roles.
Assigning roles to a function
If you don't have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign a role to a function, run the command:
-
User:
yc serverless function add-access-binding \ --id <function ID> \ --user-account-id <user id> \ --role <role>
Result:
done (1s)
-
yc serverless function add-access-binding \ --id <function ID> \ --service-account-id <service account ID> \ --role <role>
Result:
done (1s)
-
All authorized users (
allAuthenticatedUsers
system group):yc serverless function add-access-binding \ --id <function ID> \ --all-authenticated-users \ --role <role>
Result:
done (1s)
You can assign roles to a function using the setAccessBindings API method.
Revoking roles assigned to a function
If you don't have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To revoke a role for a function, run the command:
-
User:
yc serverless function remove-access-binding \ --id <function ID> \ --user-account-id <user id> \ --role <role>
Result:
done (1s)
-
yc serverless function remove-access-binding \ --id <function ID> \ --service-account-id <service account ID> \ --role <role>
Result:
done (1s)
-
All authorized users (
allAuthenticatedUsers
system group):yc serverless function remove-access-binding \ --id <function ID> \ --all-authenticated-users \ --role <role>
Result:
done (1s)
You can revoke roles for a function using the updateAccessBindings API method.