Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Serverless Containers

Managing container access rights

Written by

You can make a container public or private, view roles assigned to a container, revoke them, or assign new roles.

Making a container public

If you want any user to be able to invoke a container without passing the authorization header, make it public.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To make a container public, run the command:

yc serverless container allow-unauthenticated-invoke <container_name>

Result:

done (1s)

Making a container private

For a container to be invoked only by users with rights to invoke it, make the container private.

Note

If all unauthorized users (the allUsers system group) of a cloud or folder are granted rights to invoke a container, the container will be public regardless of the settings. How to revoke a role.

To make a container private, run the command:

yc serverless container deny-unauthenticated-invoke <container_name>

Result:

done (1s)

Viewing roles assigned to a container

To view roles assigned to a container, run the command:

yc serverless container list-access-bindings --name=<container_name>

Result:

+---------+--------------+-----------------------+
| ROLE ID | SUBJECT TYPE |      SUBJECT ID       |
+---------+--------------+-----------------------+
| editor  | system       | allAuthenticatedUsers |
+---------+--------------+-----------------------+

Note

Roles assigned to a folder or cloud are automatically inherited by a container. However, they don't appear in the list of assigned roles. Learn more about viewing roles.

Assigning roles to a container

To assign a role to a container, run the command:

  • User:

    yc serverless container add-access-binding \
  --name <container_name> \
  --user-account-id <user_ID> \
  --role <role>

    Result:

    done (1s)

  • Service account:

    yc serverless container add-access-binding \
  --name <container_name> \
  --service-account-id <service_account_id> \
  --role <role>

    Result:

    done (1s)

  • All authorized users (allAuthenticatedUsers system group):

    yc serverless container add-access-binding \
  --name <container_name> \
  --all-authenticated-users \
  --role <role>

    Result:

    done (1s)

Revoking roles assigned to a container

To revoke a role for a container, run the command:

  • User:

    yc serverless container remove-access-binding \
  --name <container_name> \
  --user-account-id <user_ID> \
  --role <role>

    Result:

    done (1s)

  • Service account:

    yc serverless container remove-access-binding \
  --name <container_name> \
  --service-account-id <service_account_id> \
  --role <role>

    Result:

    done (1s)

  • All authorized users (allAuthenticatedUsers system group):

    yc serverless container remove-access-binding \
  --name <container_name> \
  --all-authenticated-users \
  --role <role>

    Result:

    done (1s)
Language / Region
© 2022 Yandex.Cloud LLC
In this article: