Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Solutions
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for a service account
      • Creating static access keys
      • Getting the service account ID
      • Deleting service accounts
    • Identity federations
      • Authentication using Active Directory
      • Authentication using G Suite
      • Authentication using an identity federation
      • Adding users
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • SAML-compatible identity federations
    • Quotas and limits
  • How to use Yandex.Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • Federation
        • Overview
        • update
        • list
        • listUserAccounts
        • get
        • delete
        • addUserAccounts
        • create
        • listOperations
      • Certificate
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
      • AccessKey
        • Overview
        • update
        • list
        • get
        • delete
        • create
        • listOperations
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on the same page
  1. Step-by-step instructions
  2. Service accounts
  3. Assigning roles to a service account

Assigning roles to a service account

    This section describes how to assign a role to a service account for a resource. To assign another user a role to a service account like to a resource, follow the instructions in Setting up access rights for a service account.

    A service account can only be assigned roles for the resources of the cloud that the service account belongs to.

    In the management console, you can only assign a role for the folder where the service account was created. To assign it a role for another resource, use the CLI or API.

    Management console
    CLI
    API

    To assign a role for the folder where the service account was created:

    1. Select a folder.
    2. Go to the Service accounts tab.
    3. Click next to the service account and select Edit service account.
    4. Click Add role and select a role.
    5. Click Save.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    To assign the service account a role for a resource, run:

    yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
        --role <ROLE-ID> \
        --subject serviceAccount:<SERVICE-ACCOUNT-ID>
    

    where:

    • <SERVICE-NAME> is the name of the service that the resource belongs to (for example, resource-manager).
    • <RESOURCE> is the resource category, for example cloud.
    • <RESOURCE-NAME> is the name of the resource. You can specify a resource by its name or ID.
    • <RESOURCE-ID> is the resource ID.
    • <ROLE-ID> is the role ID, for example resource-manager.clouds.owner.
    • <SERVICE-ACCOUNT-ID> is the identifier of the service account assigned the role.

    For example, to assign the viewer role to a service account for the folder my-folder:

    1. Find out the service account ID by its name:

      $ yc iam service-account get my-robot
      id: aje6o61dvog2h6g9a33s
      folder_id: b1gvmob95yysaplct532
      created_at: "2018-10-15T18:01:25Z"
      name: my-robot
      

      If you don't know the name of the service account, get a list of service accounts with their IDs:

      $ yc iam service-account list
      +----------------------+------------------+-----------------+
      |          ID          |       NAME       |   DESCRIPTION   |
      +----------------------+------------------+-----------------+
      | aje6o61dvog2h6g9a33s | my-robot         | my description  |
      +----------------------+------------------+-----------------+
      
    2. Assign a role to the my-robot service account using its ID:

      $ yc resource-manager folder add-access-binding my-folder \
          --role viewer \
          --subject serviceAccount:aje6o61dvog2h6g9a33s
      
    1. Get the ID of the folder with service accounts.

    2. Get a list of folder service accounts to find out their IDs:

      $ export FOLDER_ID=b1gvmob95yysaplct532
      $ export IAM_TOKEN=CggaATEVAgA...
      $ curl -H "Authorization: Bearer ${IAM_TOKEN}" \
          "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
      
      {
       "serviceAccounts": [
        {
         "id": "ajebqtreob2dpblin8pe",
         "folderId": "b1gvmob95yysaplct532",
         "createdAt": "2018-10-18T13:42:40Z",
         "name": "my-robot",
         "description": "my description"
        }
       ]
      }
      
    3. Create a request body, for example, in a body.json file. Set the action property to ADD and specify the serviceAccount type and service account ID in the subject property:

      body.json:

      {
          "accessBindingDeltas": [{
              "action": "ADD",
              "accessBinding": {
                  "roleId": "editor",
                  "subject": {
                      "id": "ajebqtreob2dpblin8pe",
                      "type": "serviceAccount"
                      }
                  }
              }
          ]
      }
      
    4. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

      $ export FOLDER_ID=b1gvmob95yysaplct532
      $ export IAM_TOKEN=CggaATEVAgA...
      $ curl -X POST \
          -H "Content-Type: application/json" \
          -H "Authorization: Bearer ${IAM_TOKEN}" \
          -d '@body.json' \
          "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
      

    What's next

    • Creating static access keys
    • Setting up access rights for a service account
    • Assign multiple roles at once
    Language / Region
    Careers
    Privacy policy
    Terms of use
    Brandbook
    © 2021 Yandex.Cloud LLC