Access management in Managed Service for GitLab
In this section, you will learn:
- Which resources you can assign a role for.
- Which roles exist in the service.
- Which roles are required for particular actions.
To use the service, log in to the management console with a Yandex account or federated account.
About access management
In Yandex Cloud, all transactions are checked in Yandex Identity and Access Management. If a subject does not have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Which resources you can assign a role for
You can assign a role to a cloud or folder. Cloud roles also apply to nested folders.
Which roles exist in the service
Service roles
gitlab.auditor
The gitlab.auditor
role enables viewing info on the Managed Service for GitLab instances and quotas.
gitlab.viewer
The gitlab.viewer
role enables you to view a list of Managed Service for GitLab instances and information on each instance and its backups.
gitlab.editor
The gitlab.editor
role enables you to create, edit, and delete instances, create and restore from backups, and reschedule and run scheduled maintenance.
gitlab.admin
The gitlab.admin
role enables you to create, edit, and delete instances, as well as grant permissions to other users.
This role is assigned by default. It includes the gitlab.editor
role.
Primitive roles
auditor
Grants permission to view service configuration and metadata without access to data.
viewer
Enables you to view information about resources.
editor
Allows managing (creating, editing, and deleting) resources.
admin
Allows you to manage your resources and access to them.
For more information about primitive roles, see the Yandex Cloud role reference.
Roles required
To use the service, you need the gitlab.editor
role or higher for the folder where the projects are created. With the gitlab.viewer
role, you can only view the list of projects and the contents of uploaded files.
You can always assign a role with more permissions. For instance, you can assign gitlab.admin
instead of gitlab.editor
.
To create a GitLab instance, you also need the vpc.user
role.