Access management
In this section, you'll learn:
- What resources you can assign roles to.
- What roles exist in the service.
- What roles are required for particular actions.
About access management
All transactions in Yandex Cloud are checked by the Yandex Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the admin or resource-manager.clouds.owner role for a resource can assign roles for this resource.
What resources you can assign roles to
As with other services, you can assign roles for clouds, folder and service accounts. The roles assigned for clouds and folders also apply to nested resources.
What roles exist in the service
The diagram shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all viewer role permissions. A description of each role is given under the diagram.
Active roles in the service:
-
Service roles:
-
cdn.viewer: Enables the user to view CDN resources and origin groups. -
cdn.editor: Enables you to view, create, modify and delete CDN resources and origin groups, as well as activate origin shielding and log export for CDN resources. -
cdn.admin: Enables you to view, create, modify, and delete CDN resources and origin groups, as well as activate origin shielding and log export for CDN resources. The role will acquire additional features at a later date.
-
-
Primitive roles:
What roles do I need
The table below lists the roles needed to perform a given action. You can always assign a role granting more permissions than the role specified. For example, you can assign editor instead of viewer.
| Action | Required roles |
|---|---|
| View data | |
| View information about any resource | cdn.viewer for this resource |
| Manage CDN resources | |
| Create a resource | cdn.editor for the folder where the resources will be created |
| Change a resource's basic settings | cdn.editor for the folder with CDN resources |
| Disable a resource | cdn.editor for the folder with CDN resources |
| Configure resource caching | cdn.editor for the folder with CDN resources |
| Pre-fetch files to CDN servers | cdn.editor for the folder with CDN resources |
| Clear a resource cache | cdn.editor for the folder with CDN resources |
| Configure HTTP Request and Response headers | cdn.editor for the folder with CDN resources |
| Configure CORS responses to clients | cdn.editor for the folder with CDN resources |
| Configure HTTP methods | cdn.editor for the folder with CDN resources |
| Enable file compression | cdn.editor for the folder with CDN resources |
| Enable file segmentation | cdn.editor for the folder with CDN resources |
| Manage origin groups | |
| Create an origin group | cdn.editor for the folder with an origin group |
| Change an origin group | cdn.editor for the folder with an origin group |
| Connect an origin group to a resource | cdn.editor for the folder with the CDN resource |
| Delete an origin group | cdn.editor for the folder with an origin group |
| Manage paid features | |
| Origin shielding | cdn.editor for the folder with CDN resources |
| Exporting logs | cdn.editor for the folder with CDN resources |
| Manage resource access | |
| Assign, revoke, and view roles granted for the resource | admin for the resource |