Setting up folder access rights
To grant a user access to folder resources, assign the user a role for the appropriate folder.
Assign a role for a folder
- In the management console
, go to the appropriate folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click
Add role and select the role from the list or use the search bar. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
View the description of the command to assign a role for a folder:
yc resource-manager folder add-access-binding --help
-
Select a folder, e.g.,
my-folder
:yc resource-manager folder list
Result:
+----------------------+-----------+--------+--------+ | ID | NAME | LABELS | STATUS | +----------------------+-----------+--------+--------+ | b1gd129pp9ha******** | my-folder | | ACTIVE | +----------------------+-----------+--------+--------+
-
Choose the role.
yc iam role list
Result:
+--------------------------------+-------------+ | ID | DESCRIPTION | +--------------------------------+-------------+ | admin | | | compute.images.user | | | editor | | | ... | | +--------------------------------+-------------+
-
Find out the user ID from the login or email address. To assign a role to a service account or system group instead of a user, see the examples below.
yc iam user-account get test-user
Result:
id: gfei8n54hmfh******** yandex_passport_user_account: login: test-user default_email: test-user@yandex.ru
-
Assign the
editor
role for themy-folder
folder to a user namedtest-user
. In the subject, specify theuserAccount
type and user ID:yc resource-manager folder add-access-binding my-folder \ --role editor \ --subject userAccount:gfei8n54hmfh********
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Alert
Do not create the resource together with the yandex_resourcemanager_folder_iam_policy
resource. They will conflict with each other.
To assign a role to a folder created using Terraform:
-
Describe the parameters of the folder role in a configuration file:
-
folder_id
: ID of the folder to grant permissions for. This is a required parameter. -
role
: Role being assigned. This is a required parameter.Note
For each role, you can only use one
yandex_resourcemanager_folder_iam_member
resource. -
member
: User to assign the role to. This is a required parameter. Possible values:
*userAccount:<user_ID>
: User IDserviceAccount:<service_account_ID>
: Service account IDfederatedUser:<user_account_ID>
: User account ID
Example of assigning roles to a folder using Terraform... data "yandex_resourcemanager_folder" "project1" { folder_id = "<folder_ID>" } resource "yandex_resourcemanager_folder_iam_member" "editor" { folder_id = "${data.yandex_resourcemanager_folder_iam_member.project1.id}" role = "editor" member = "userAccount:<login@yandex.ru>" } ...
For more information about the
yandex_resourcemanager_folder_iam_member
resource parameters in Terraform, see the provider documentation . -
-
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.You can check the folder update using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
Use the updateAccessBindings REST API method for the Folder resource or the FolderService/UpdateAccessBindings gRPC API call. You will need the folder ID and the ID of the user to whom you want to assign the role for the folder.
-
Find out the folder ID using the list REST API method:
curl -H "Authorization: Bearer <IAM_token>" \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders?cloudId=b1gg8sgd16g7********
Result:
{ "folders": [ { "id": "b1g66mft1vop********", "cloudId": "b1gd129pp9ha********", "createdAt": "2018-10-17T12:44:31Z", "name": "my-folder", "status": "ACTIVE" } ] }
-
Find out the user ID from the login using the getByLogin REST API method:
curl -H "Authorization: Bearer <IAM_token>" \ https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user
Result:
{ "id": "gfei8n54hmfh********", "yandexPassportUserAccount": { "login": "test-user", "defaultEmail": "test-user@yandex.ru" } }
-
Assign the
editor
role for themy-folder
folder to the user. Set theaction
property toADD
and specify theuserAccount
type and user ID in thesubject
property:curl -X POST \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer <IAM_token>" \ -d '{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "gfei8n54hmfh********", "type": "userAccount" }}}]}' \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha********:updateAccessBindings
Assign multiple roles
- In the management console
, go to the appropriate folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click
Add role and select the role from the list or use the search bar. - Repeat this step as many times as you need to add all the required roles.
- Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The add-access-binding
command allows you to add only one role. You can assign multiple roles using the set-access-binding
command.
Alert
The set-access-binding
command completely rewrites the access rights to the resource. All current resource roles will be deleted.
- Make sure the resource has no roles assigned that you would rather not lose:
yc resource-manager folder list-access-bindings my-folder
- For example, assign a role to multiple users:
yc resource-manager folder set-access-bindings my-folder \ --access-binding role=editor,subject=userAccount:gfei8n54hmfh******** --access-binding role=viewer,subject=userAccount:helj89sfj80a********
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Alert
Do not create the resource together with the yandex_resourcemanager_folder_iam_policy
resource. They will conflict with each other.
To assign several roles to a folder created with Terraform:
-
Describe the parameters of the folder role in a configuration file:
-
folder_id
: ID of the folder to grant permissions for. This is a required parameter. -
role
: Role being assigned. This is a required parameter.Note
For each role, you can only use one
yandex_resourcemanager_folder_iam_member
resource. -
member
: User to assign the role to. To add a user to the list, create an entry in the formatuserAccount:<user_ID>
, where<user_ID>
is the email address of the Yandex account (for example,ivan@yandex.ru
). This is a required parameter.
Example of assigning roles to a folder using Terraform... data "yandex_resourcemanager_folder" "project1" { folder_id = "<folder_ID>" } resource "yandex_resourcemanager_folder_iam_member" "editor" { folder_id = "${data.yandex_resourcemanager_folder.project1.id}" role = "editor" member = "userAccount:<login1@yandex.ru>" } resource "yandex_resourcemanager_folder_iam_member" "operator" { folder_id = "${data.yandex_resourcemanager_folder.project1.id}" role = "operator" member = "userAccount:<login1@yandex.ru>" } ...
For more information about the
yandex_resourcemanager_folder_iam_member
resource parameters in Terraform, see the provider documentation . -
-
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.You can check the folder update using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
Assign the editor
role to one user and the viewer
role to another user:
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM_token>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "editor",
"subject": {
"id": "gfei8n54hmfh********",
"type": "userAccount"
}
}
},{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "helj89sfj80a********",
"type": "userAccount"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha********:updateAccessBindings
You can also assign roles using the setAccessBindings REST API method for the Folder resource or the FolderService/SetAccessBindings gRPC API call.
Alert
The setAccessBindings
method completely rewrites the access rights to the resource! All current resource roles will be deleted.
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM_token>" \
-d '{
"accessBindings": [{
"roleId": "editor",
"subject": { "id": "ajei8n54hmfh********", "type": "userAccount" }
},{
"roleId": "viewer",
"subject": { "id": "helj89sfj80a********", "type": "userAccount" }
}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha********:setAccessBindings
Folder access for a service account
- In the management console
, select the appropriate folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, click
Select subject → Service accounts. - Select the required service account from the list or use the search.
- Click
Add role. - Select a role in the folder.
- Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Select a role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Find out the service account ID by its name:
yc iam service-account get my-robot
Result:
id: aje6o61dvog2******** folder_id: b1gvmob95yys******** created_at: "2018-10-15T18:01:25Z" name: my-robot
If you don't know the name of the service account, get a list of service accounts with their IDs:
yc iam service-account list
Result:
+----------------------+------------------+-----------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-----------------+ | aje6o61dvog2******** | my-robot | my description | +----------------------+------------------+-----------------+
-
Assign the
viewer
role to themy-robot
service account using its ID:yc resource-manager folder add-access-binding my-folder \ --role viewer \ --subject serviceAccount:aje6o61dvog2********
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Alert
Do not create the resource together with the yandex_resourcemanager_folder_iam_policy
resource. They will conflict with each other.
To assign a service account a role to a folder created with Terraform:
-
Describe the parameters of the folder role in a configuration file:
-
folder_id
: ID of the folder to grant permissions for. This is a required parameter. -
role
: Role being assigned. This is a required parameter.Note
For each role, you can only use one
yandex_resourcemanager_folder_iam_member
resource. -
member
: User to assign the role to. To add a user to the list, create a record as follows:serviceAccount:<service_account_ID>
, where<service_account_ID>
is the service account identifier. You can list several service accounts. This is a required parameter.
Example of assigning roles to a folder using Terraform... data "yandex_resourcemanager_folder" "project1" { folder_id = "<folder_ID>" } resource "yandex_resourcemanager_folder_iam_member" "editor" { folder_id = "${data.yandex_resourcemanager_folder.project1.id}" role = "editor" member = "serviceAccount:<service_account_ID>" } ...
For more information about the
yandex_resourcemanager_folder_iam_member
resource parameters in Terraform, see the provider documentation . -
-
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.You can check the folder update using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
To assign the service account a role for a cloud or folder, use the updateAccessBindings
REST API method for the Cloud or Folder resource:
-
Select a role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Get the ID of the service accounts folder.
-
Get an IAM token required for authorization in the Yandex Cloud API.
-
Get a list of folder service accounts to find out their IDs:
export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl -H "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2d********", "folderId": "b1gvmob95yys********", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] }
-
Create the request body, for example, in the
body.json
file. Set theaction
property toADD
and theroleId
property to the appropriate role, such aseditor
, and specify theserviceAccount
type and service account ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "ajebqtreob2d********", "type": "serviceAccount" } } }] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
Folder access for a federated user
The role assignment procedure is the same as for a user with a Yandex account. The user's federation name is shown next to the username.
- In the management console
, go to the appropriate folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click
Add role and select the role from the list or use the search bar. - Click Save.
-
Select a role from the Yandex Cloud role reference.
-
Assign the role using the command:
yc resource-manager folder add-access-binding <folder_name_or_ID> \ --role <role_ID> \ --subject federatedUser:<user_ID>
Where:
<folder_name_or_ID>
: Folder name or ID.--role
: Role ID, e.g.,editor
.--subject
: ID of the user account to which the role is assigned.
For example, grant a federated user with the ID
aje6o61dvog2********
theeditor
role to themy-folder
folder:yc resource-manager folder add-access-binding my-folder \ --role editor \ --subject federatedUser:aje6o61dvog2********
Access to a resource for all users
You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers
or allUsers
.
You can assign any role to the system group, except resource-manager.clouds.owner
and resource-manager.clouds.member
.
Alert
Do not assign a system group the editor
or admin
role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex Cloud at your expense.
For example, allow any authenticated user to view folder information:
- In the management console
, go to the appropriate folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select Public.
- Select the
All authenticated users
group. - Click
Add role. - Select the
resource-manager.viewer
role. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
Assign the viewer
for the my-folder
folder. Set the subject type to system
and its ID to allAuthenticatedUsers
:
yc resource-manager folder add-access-binding my-folder \
--role viewer \
--subject system:allAuthenticatedUsers
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Alert
Do not create the resource together with the yandex_resourcemanager_folder_iam_policy
resource. They will conflict with each other.
To assign a role to a folder created using Terraform:
-
Describe the parameters of the folder role in a configuration file:
-
folder_id
: ID of the folder to grant permissions for. This is a required parameter. -
role
: Role being assigned. This is a required parameter.Note
For each role, you can only use one
yandex_resourcemanager_folder_iam_member
resource. -
member
: User to assign the role to. To add all users, create an entry in the formatsystem:<allUsers|allAuthenticatedUsers>
, where<allUsers|allAuthenticatedUsers>
is one of system groups. This is a required parameter.
Here is an example of the configuration file structure:
... data "yandex_resourcemanager_folder" "project1" { folder_id = "<folder_ID>" } resource "yandex_resourcemanager_folder_iam_member" "viewer" { folder_id = "${data.yandex_resourcemanager_folder_iam_member.project1.id}" role = "viewer" member = "system:allUsers" } ...
For more information about the
yandex_resourcemanager_folder_iam_member
resource parameters in Terraform, see the provider documentation . -
-
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.You can check the folder update using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-
Create a request body, for example, in the
body.json
file. InroleId
, assign theviewer
role. In thesubject
property, specify thesystem
type and theallAuthenticatedUsers
ID:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "viewer", "subject": { "id": "allAuthenticatedUsers", "type": "system" } } }] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"