Access management in Yandex Cloud Billing
Billing account access
Billing account access is provided through the Yandex Cloud Billing service. A billing account can be created by users with a registered Yandex or Yandex 360 account:
- If you have not created an account for yourself or an employee yet, create one in Yandex or Yandex 360.
- If you use a social network profile to log in to Yandex, create a username and password.
The operations a user can perform on a billing account are determined by the role assigned to them. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group.
Note
Access can only be granted to a user whose billing account has a cloud linked in Identity and Access Management.
Which roles exist in the service
Service roles
Service roles are roles that provide access to Yandex Cloud Billing:
billing.accounts.memberis granted automatically when a user is added to Yandex Cloud Billing. It is required to display the selected billing account in the list of all user accounts.billing.accounts.owneris granted automatically when you create a billing account. The role granted when creating an account cannot be revoked, but it can be assigned to other users and revoked from them.billing.accounts.vieweris assigned for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.billing.accounts.editoris assigned for a billing account. It enables you to get payment invoices, activate promo codes, link clouds and services to your billing account, create details export and budgets, generate reconciliation reports, and reserve resources. This role includes thebilling.accounts.viewerrole.billing.accounts.adminis assigned for a billing account. It enables you to manage billing account access permissions (except for thebilling.accounts.ownerrole). It includes thebilling.accounts.editorrole.billing.accounts.varWithoutDiscountsis assigned for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts. This role includes thebilling.partners.editorrole.billing.partners.editoris assigned for a billing account. It grants permission to edit information about a partner and their products in the partner product catalog.
Primitive roles
Primitive roles are aggregator roles that define user permissions to access services. In Yandex Cloud Billing, these roles match the following billing.accounts.* roles:
auditor: Same asbilling.accounts.viewerwith some limitations.viewer: Same asbilling.accounts.viewer.editor: Same asbilling.accounts.editor.admin: Same asbilling.accounts.admin.
Primitive roles can only be assigned to users in the Users list.
The table below provides a list of operations available to each role.
| Operations | member |
owner |
viewer |
editor |
admin |
|---|---|---|---|---|---|
| Displaying a billing account in the list of all user accounts | |||||
| Viewing billing account information | |||||
| Viewing and receiving usage notifications | |||||
| Viewing and downloading reporting (closing) documents | |||||
| Viewing and downloading generated reconciliation reports | |||||
| Checking expenses | |||||
| Accessing usage details | |||||
| Activating promo codes | |||||
| Topping up your personal account using a bank account | |||||
| Linking clouds to billing accounts | |||||
| Creating details export | |||||
| Creating budget | |||||
| Generating a new reconciliation report | |||||
| Resource allocation | |||||
| Assigning roles to billing accounts | |||||
| Viewing and editing roles | |||||
| Renaming a billing account | |||||
| Changing payer contact details | |||||
| Changing billing details | |||||
| Changing bank cards | |||||
| Changing payment methods | |||||
| Activating trial period | |||||
| Activating paid version | |||||
| Topping up your personal account using a bank card |
Adding a user
A user who is granted the billing.accounts.admin role can add any Yandex Cloud user or service account to the Users list. To do this:
- Open the Yandex Cloud management console.
- In the top-left corner, click All services.
- Select Yandex Cloud Billing.
- Select an account on the Accounts page.
- Go to the Access management page.
- Click Add user.
- Select a user from the drop-down list. The list shows users whose clouds are linked to your billing account.
- Click Add.
The user or service account is assigned the billing.accounts.member role and added to the Users list. To grant billing account access, assign them the required role.
Assigning roles
Users with the billing.accounts.admin role can grant access to the billing account to any user or service account on the Users list. To do this:
- In the top-left corner of the management console, click and select Yandex Cloud Billing.
- Select an account on the Accounts page.
- Go to the Access management page.
- Find the user or service account in the list.
- Click and select Configure roles.
- Click Assign role.
- Select a role from the list. The role is assigned without expiration.
Revoking roles
A user with the billing.accounts.admin role can revoke roles from users or service accounts on the list at any time. To do this:
- In the top-left corner of the management console, click and select Yandex Cloud Billing.
- Select an account on the Accounts page.
- Go to the Access management page.
- Find the user or service account in the list.
- Click and select Configure roles.
- Click next to the role to be invoked. The role is revoked.
Note
If the billing.accounts.member role is revoked from a user, they will not be able to access the billing account.
Deleting users
- In the top-left corner of the management console, click and select Yandex Cloud Billing.
- Select an account on the Accounts page.
- Go to the Access management page.
- Find the user or service account in the list.
- Click and select Remove user.
- This deletes the user from the list of the billing account users.