Assigning a role for a resource
To provide access to a resource, assign a user a role to the resource itself or a resource from which access privileges are inherited, such as a folder or a cloud. For more information, see How access management works in Yandex Cloud.
- In the management console
, select the folder where you want to assign a role for a resource. - In the list of services, select Container Registry.
- Assign a role for the resource.
- Assigning roles for a registry:
- To the right of the registry name, click
- In the window that opens, select a group, a user, or a service account and click Add.
- In the Permissions drop-down list, select the required roles.
- Click Save.
- To the right of the registry name, click
- Assigning roles for a repository:
- Select the repository.
- To the right of the repository name, click
- In the window that opens, select a group, a user, or a service account and click Add.
- In the Permissions drop-down list, select the required roles.
- Click Save.
- Assigning roles for a registry:
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
Choose a role from the list.
-
Assign the role:
-
To add the role to the existing permissions, run the command:
yc <service_name> <resource> add-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject userAccount:<user_ID>
-
To add the role and delete all the existing permissions, run the command:
yc <service_name> <resource> set-access-bindings <resource_name_or_ID> \ --role <role_ID> \ --subject userAccount:<user_ID>
Where:
<service_name>
:Container
service name.<resource>
: Category of the resource (registry
orrepository
).<resource_name_or_ID>
: Name or ID of the resource the role is assigned for.--role
: Role ID.--subject
: ID of the group, user, or service account the role is assigned to.
Example. Add the
container-registry.admin
role for the registry with thecrp0pmf1n68d********
ID to the user with thekolhpriseeio********
ID:yc container registry add-access-binding crp0pmf1n68d******** \ --role container-registry.admin \ --subject userAccount:kolhpriseeio********
-
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Describe the following in a configuration file:
-
Parameters of the
yandex_container_registry_iam_binding
resource to assign a role for a registry:registry_id
: ID of the registry for which a role is assigned. You can retrieve registry ID from the folder registry list.role
: Role ID.members
: ID of the user, group, or service account the role is being assigned to.
Here is an example of the configuration file structure:
resource "yandex_container_registry_iam_binding" "puller" { registry_id = "<registry_ID>" role = "<role_ID>" members = [ "userAccount:<user_ID>", ] }
For more information about the
yandex_container_registry_iam_binding
resource, see the provider documentation . -
Parameters of the
yandex_container_repository_iam_binding
resource to assign a role for a repository:repository_id
: ID of the repository for which a role is assigned.role
: Role ID.members
: ID of the user, group, or service account the role is being assigned to.
Here is an example of the configuration file structure:
resource "yandex_container_repository_iam_binding" "pusher" { repository_id = "<repository_ID>" role = "<role_ID>" members = [ "userAccount:<user_ID>", ] }
For more information about the
yandex_container_repository_iam_binding
resource, see the provider documentation .
-
-
Run a check using this command:
terraform plan
The terminal will display a list of resources with parameters. This is a test step; no resources will be created. If the configuration contains any errors, Terraform will point them out.
Alert
You will be charged for all the resources created with Terraform. Check the pricing plan carefully.
-
Apply the configuration changes:
terraform apply
-
Confirm changing the resources: enter
yes
in the terminal window and press Enter.You can check that the role has been assigned using the management console
or the CLI command:-
Registry:
yc container registry list-access-bindings <registry_name_or_ID>
-
Repository:
yc container repository list-access-bindings <repository_name_or_ID>
-
To assign a user, service account, or group a role for access to a resource, use the updateAccessBindings
method for the registry
and repository
resources.
Read more about role management in the Yandex Identity and Access Management documentation.