Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Key Management Service
  • Getting started
  • Step-by-step instructions
    • All instructions
    • Key
    • Key version
    • Data encryption
  • Concepts
    • Overview
    • Key
    • Key version
    • Encryption
    • Envelope encryption
    • Key consistency
    • Hardware Security Module (HSM)
    • Quotas and limits
  • Practical guidelines
    • All tutorials
    • Data encryption
      • Which encryption method should I choose?
      • Encrypting data using the Yandex Cloud CLI and API
      • Encrypting data using the Yandex Cloud SDK
      • Encrypting data using the AWS Encryption SDK
      • Encrypting data using Google Tink
    • Encrypting secrets in Managed Service for Kubernetes
    • KMS key management with Hashicorp Terraform
    • Encrypting secrets in Hashicorp Terraform
    • Auto Unseal in Hashicorp Vault
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • SymmetricCryptoService
      • SymmetricKeyService
      • OperationService
    • REST
      • Overview
      • SymmetricCrypto
        • Overview
        • decrypt
        • encrypt
        • generateDataKey
        • reEncrypt
      • SymmetricKey
        • Overview
        • cancelVersionDestruction
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • listVersions
        • rotate
        • scheduleVersionDestruction
        • setAccessBindings
        • setPrimaryVersion
        • update
        • updateAccessBindings
  • Questions and answers
  1. Access management

Access management in Key Management Service

Written by
Yandex Cloud
  • About access management
  • What resources you can assign roles to
  • What roles exist in the service
    • Service roles
    • Primitive roles
  • What roles do I need

In this section, you'll learn:

  • What resources you can assign roles to.
  • What roles exist in the service.
  • What roles are required for particular actions.

About access management

All transactions in Yandex Cloud are checked by the Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.

To grant permission to a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, service account or system group. For more information, see How access management works in Yandex Cloud.

Only users with the admin or resource-manager.clouds.owner role for a resource can assign roles for this resource.

What resources you can assign roles to

You can assign roles for a cloud, folder, or key. These roles also apply to nested resources.

What roles exist in the service

You can manage access to KMS keys using both service and primitive roles. The diagram shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all viewer role permissions. A description of each role is given under the diagram.

Service roles

Service roles provide more granular control over KMS keys, taking into account the service specifics: a strict division of subjects into key administrators (the kms.admin role) and users (the kms.keys.encrypterDecrypter role).

Users without the resource-manager.clouds.owner or admin role can't assign roles via the management console.

List of service roles:

  • kms.keys.encrypterDecrypter: Lets you perform data encryption and decryption operations and view information about keys.
  • kms.admin: Lets you manage keys (view, create, update, destroy, rotate keys, as well as encrypt and decrypt data). It also lets you assign the kms.keys.encrypterDecrypter role for keys using the CLI and API.

Primitive roles

Primitive roles are common to all resources Yandex Cloud. Assigning any of them grants certain permissions in KMS and other cloud services. For example, the admin role assigned for a folder can enable you to remove any KMS keys in a folder and modify the folder itself or the resources it contains. You can manage primitive roles using the management console.

List of primitive roles:

  • viewer: Provides viewing access only to resource information.
  • editor: Lets you manage (create and edit) resources.
  • admin: Lets you manage access to resources as well as the resources themselves (create, modify, and delete).

What roles do I need

Example of key access control

We recommend working with roles as follows:

  1. The cloud owner (the resource-manager.clouds.owner role) or administrator (the admin role) assigns the kms.admin role to the KMS administrator.
  2. The KMS administrator creates the required number of keys and assigns (through the CLI or API) roles to use them: subjects from different teams are granted the kms.keys.encrypterDecrypter role for the keys they need.

It's good practice to store KMS keys in a dedicated folder apart from other Yandex Cloud resources.

Action Methods Required roles
KMS
Get information about keys and versions get, listVersions kms.keys.encrypterDecrypter for a key
Encryption and decryption encrypt, decrypt, reEncrypt, generateDataKey kms.keys.encrypterDecrypter for a key
Get a list of keys in a folder list kms.admin for a key
Create and update a key create, update kms.admin for a key
Rotate a key and update the primary version rotate, setPrimaryVersion kms.admin for a key
Destroy a key and version delete, scheduleVersionDestruction, cancelVersionDestruction kms.admin for a key
Assign, revoke, and view roles granted for the key setAccessBindings, updateAccessBindings, listAccessBindings kms.admin for a key

What's next

  • Safe use of Yandex Cloud
  • How to assign a role.
  • How to revoke a role.
  • Learn more about access management in Yandex Cloud.
  • For more information about role inheritance.

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • About access management
  • What resources you can assign roles to
  • What roles exist in the service
  • Service roles
  • Primitive roles
  • What roles do I need