Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Intertech Services AG
Yandex Cloud CDN
  • Getting started
  • Step-by-step guides
  • Tutorials
  • Concepts
  • Access management
  • Troubleshooting
  • API reference
  • Pricing policy

Access management in Cloud CDN

Written by
Yandex Cloud
  • About access management
  • What resources you can assign roles to
  • What roles exist in the service
  • What roles do I need

Cloud CDN uses roles to manage access rights.

In this section, you'll learn:

  • Which resources you can assign roles to.
  • Which roles exist in the service.
  • Which roles are required for particular actions.

About access management

All transactions in Yandex Cloud are checked by the Yandex Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.

To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.

Only users with the admin or resource-manager.clouds.owner role for a resource can assign roles for this resource.

What resources you can assign roles to

As with other services, you can assign roles for clouds, folder and service accounts. The roles assigned for clouds and folders also apply to nested resources.

What roles exist in the service

The diagram shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all viewer role permissions. A description of each role is given under the diagram.

Active roles in the service:

  • Service roles:

    • cdn.viewer: Enables the user to view CDN resources and origin groups.

    • cdn.editor: Enables you to view, create, modify and delete CDN resources and origin groups, as well as activate origin shielding and log export for CDN resources.

    • cdn.admin: Enables you to view, create, modify, and delete CDN resources and origin groups, as well as activate origin shielding and log export for CDN resources. The role will acquire additional features at a later date.

  • Primitive roles:

    • viewer: Only lets you view information about the resources.

    • editor: Lets you manage resources (create, edit, and delete).

    • admin: Lets you manage resources and access them.

What roles do I need

The table below lists the roles needed to perform a given action. You can always assign a role granting more permissions than the role specified. For example, you can assign editor instead of viewer.

Action Required roles
View data
View information about any resource cdn.viewer for this resource
Manage CDN resources
Create a resource cdn.editor for the folder where the resources will be created
Change a resource's basic settings cdn.editor for the folder with CDN resources
Disable a resource cdn.editor for the folder with CDN resources
Configure resource caching cdn.editor for the folder with CDN resources
Pre-fetch files to CDN servers cdn.editor for the folder with CDN resources
Clear a resource cache cdn.editor for the folder with CDN resources
Configure HTTP Request and Response headers cdn.editor for the folder with CDN resources
Configure CORS responses to clients cdn.editor for the folder with CDN resources
Configure HTTP methods cdn.editor for the folder with CDN resources
Enable file compression cdn.editor for the folder with CDN resources
Enable file segmentation cdn.editor for the folder with CDN resources
Manage origin groups
Create an origin group cdn.editor for the folder with an origin group
Change an origin group cdn.editor for the folder with an origin group
Connect an origin group to a resource cdn.editor for the folder with the CDN resource
Delete an origin group cdn.editor for the folder with an origin group
Manage paid features
Origin shielding cdn.editor for the folder with CDN resources
Exporting logs cdn.editor for the folder with CDN resources
Manage resource access
Grant a role, revoke a role, and view roles granted for the resource admin for the resource

What's next

  • How to assign a role.
  • How to revoke a role.
  • Learn more about access management in Yandex Cloud.
  • More information on inheriting roles.

Was the article helpful?

Language / Region
Yandex project
© 2023 Intertech Services AG
In this article:
  • About access management
  • What resources you can assign roles to
  • What roles exist in the service
  • What roles do I need