Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Cloud Functions

Managing rights to access functions

Written by

You can make a function public or private, view roles assigned to a function, revoke them, or assign new roles.

Making a function public

To allow any user to invoke a function without passing an authorization header, make it public.

  1. In the management console, go to the folder where the function is located.
  2. Select Cloud Functions.
  3. Select the function you want to make public.
  4. On the Overview page, under General information, switch the Public function option to on.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To make a function public, run the command:

yc serverless function allow-unauthenticated-invoke <function name>

Result:

done (1s)

You can make a function public using the setAccessBindings API method.

Making a function private

For a function to be invoked only by users with rights to invoke it, make the function private.

Note

If all unauthorized users (allUsers system group) of a cloud or folder are granted rights to invoke a function, the function will be public regardless of the settings. How to revoke a role.

  1. In the management console, go to the folder where the function is located.
  2. Select Cloud Functions.
  3. Select the function you want to make private.
  4. On the Overview page, under General information, switch the Public function option to off.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To make a function private, run the command:

yc serverless function deny-unauthenticated-invoke <function name>

Result:

done (1s)

Viewing roles assigned to a function

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To view roles assigned to a function, run the command:

yc serverless function list-access-bindings <function name>

Result:

+------------------------------+--------------+-----------------------+
|           ROLE ID            | SUBJECT TYPE |       SUBJECT ID      |
+------------------------------+--------------+-----------------------+
| serverless.functions.invoker | system       | allAuthenticatedUsers |
+------------------------------+--------------+-----------------------+

You can view roles assigned to a function using the listAccessBindings API method.

Note

Roles assigned to a folder or cloud are automatically inherited by a function. However, they don't appear in the list of assigned roles. Learn more about viewing roles.

Assigning roles to a function

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign a role to a function, run the command:

  • User:

    yc serverless function add-access-binding \
  --id <function ID> \
  --user-account-id <user id> \
  --role <role>

    Result:

    done (1s)

  • Service account:

    yc serverless function add-access-binding \
  --id <function ID> \
  --service-account-id <service account ID> \
  --role <role>

    Result:

    done (1s)

  • All authorized users (allAuthenticatedUsers system group):

    yc serverless function add-access-binding \
  --id <function ID> \
  --all-authenticated-users \
  --role <role>

    Result:

    done (1s)

You can assign roles to a function using the setAccessBindings API method.

Revoking roles assigned to a function

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To revoke a role for a function, run the command:

  • User:

    yc serverless function remove-access-binding \
  --id <function ID> \
  --user-account-id <user id> \
  --role <role>

    Result:

    done (1s)

  • Service account:

    yc serverless function remove-access-binding \
  --id <function ID> \
  --service-account-id <service account ID> \
  --role <role>

    Result:

    done (1s)

  • All authorized users (allAuthenticatedUsers system group):

    yc serverless function remove-access-binding \
  --id <function ID> \
  --all-authenticated-users \
  --role <role>

    Result:

    done (1s)

You can revoke roles for a function using the updateAccessBindings API method.

Language / Region
© 2022 Yandex.Cloud LLC
In this article: