Access management
In this section, you'll learn:
- What resources you can assign roles to.
- What roles exist in the service.
- What roles are required for particular actions.
About access management
All transactions in Yandex.Cloud are checked by the Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.
To grant permission to a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, service account, or system group. For more information, see How access management works in Yandex.Cloud.
Only users with the admin or resource-manager.clouds.owner role for a resource can assign roles for this resource.
What resources you can assign roles to.
You can assign roles for a cloud, folder, or key. These roles also apply to nested resources.
What roles exist in the service
You can manage access to KMS keys using both service and primitive roles. The diagram shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all viewer role permissions. A description of each role is given under the diagram.
Service roles
Service roles provide more granular control over KMS keys, taking into account the service specifics: a strict division of subjects into key administrators (the kms.admin role) and users (the kms.keys.encrypterDecrypter role).
Users without the resource-manager.clouds.owner or admin role can't assign roles via the management console.
List of service roles:
kms.keys.encrypterDecrypter: Lets you perform data encryption and decryption operations and view information about keys.kms.admin: Lets you manage keys (view, create, update, destroy, rotate keys, as well as encrypt and decrypt data). It also lets you assign thekms.keys.encrypterDecrypterrole for keys using the CLI and API.
Primitive roles
Primitive roles are common to all Yandex.Cloud resources. Assigning any of them grants certain permissions in KMS and other cloud services. For example, the admin role assigned for a folder lets you destroy any KMS key in that folder and update the folder itself or resources in it. You can manage primitive roles using the management console.
List of primitive roles:
viewer: Only lets you view information about the resources.editor: Lets you manage resources (create and edit).admin: Lets you manage access to resources and the resources themselves (create, modify, and delete).
What roles do I need
Example of key access control
We recommend working with roles as follows:
- The cloud owner (the
resource-manager.clouds.ownerrole) or administrator (theadminrole) assigns thekms.adminrole to the KMS administrator. - The KMS administrator creates the required number of keys and assigns (through the CLI or API) roles to use them: subjects from different teams are granted the
kms.keys.encrypterDecrypterrole for the keys they need.
It's good practice to store KMS keys in a dedicated folder, separately from other Yandex.Cloud resources.
| Action | Methods | Required roles |
|---|---|---|
| KMS | ||
| Get information about keys and versions | get, listVersions |
kms.keys.encrypterDecrypter for a key |
| Operations of encryption and decryption | encrypt, decrypt, reencrypt, generatedatakey |
kms.keys.encrypterDecrypter for a key |
| Get a list of keys in a folder | list |
kms.admin for a key |
| Create and update a key | create, update |
kms.admin for a key |
| Rotate a key and change the primary version | rotate, setPrimaryVersion |
kms.admin for a key |
| Destroy a key and version | delete, scheduleVersionDestruction, cancelVersionDestruction |
kms.admin for a key |
| Assign, revoke, and view roles granted for the key | setAccessBindings, updateAccessBindings, listAccessBindings |
kms.admin for a key |