Access management in Cloud CDN
Cloud CDN uses roles to manage access rights.
In this section, you'll learn:
- Which resources you can assign roles to.
- Which roles exist in the service.
- Which roles are required for particular actions.
About access management
All transactions in Yandex Cloud are checked by the Yandex Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the
resource-manager.clouds.owner role for a resource can assign roles for this resource.
What resources you can assign roles to
As with other services, you can assign roles for clouds, folder and service accounts. The roles assigned for clouds and folders also apply to nested resources.
What roles exist in the service
The diagram shows which roles are available in the service and how they inherit each other's permissions. For example, the
editor role includes all
viewer role permissions. A description of each role is given under the diagram.
Active roles in the service:
cdn.viewer: Enables the user to view CDN resources and origin groups.
cdn.editor: Enables you to view, create, modify and delete CDN resources and origin groups, as well as activate origin shielding and log export for CDN resources.
cdn.admin: Enables you to view, create, modify, and delete CDN resources and origin groups, as well as activate origin shielding and log export for CDN resources. The role will acquire additional features at a later date.
What roles do I need
The table below lists the roles needed to perform a given action. You can always assign a role granting more permissions than the role specified. For example, you can assign
editor instead of
|View information about any resource||
|Manage CDN resources|
|Create a resource||
|Change a resource's basic settings||
|Disable a resource||
|Configure resource caching||
|Pre-fetch files to CDN servers||
|Clear a resource cache||
|Configure HTTP Request and Response headers||
|Configure CORS responses to clients||
|Configure HTTP methods||
|Enable file compression||
|Enable file segmentation||
|Manage origin groups|
|Create an origin group||
|Change an origin group||
|Connect an origin group to a resource||
|Delete an origin group||
|Manage paid features|
|Manage resource access|
|Grant a role, revoke a role, and view roles granted for the resource||