Access management

Written by

About access management
What resources you can assign roles to
What roles exist in the service

In this section, you'll learn:

What resources you can assign roles to.
What roles exist in the service.

About access management

All transactions in Yandex.Cloud are checked by the Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.

To grant permission to a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, service account or system group. For more information, see How access management works in Yandex.Cloud.

Only users with the admin or resource-manager.clouds.owner role for a resource can assign roles for this resource.

What resources you can assign roles to

You can assign roles for a cloud, folder, and a function. Roles assigned to a cloud or folder also affect the functions that are located there.

What roles exist in the service

The list below shows all roles that are considered when verifying access rights in the Cloud Functions service.

resource-manager.clouds.member

When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.

This role alone doesn't give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

resource-manager.clouds.owner

Theresource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

serverless.functions.invoker

The serverless.functions.invoker role grants permission to run functions.

For now, a role can only be assigned for a parent resource (folder or cloud), and roles are inherited by nested resources.

To find out how to assign this role, see Managing rights to access functions.

serverless.functions.admin

The serverless.functions.admin role grants all permissions to manage a function, including assigning roles to a function to other users.

The serverless.functions.admin role includes all permissions granted by the serverless.functions.invoker role.

To learn how to assign this role, see Managing rights to access functions.

viewer

The user with the viewer role can view information about resources, such as the list of functions or their versions and the function execution log.

editor

The user with the editor role can manage functions and their versions, such as creating or deleting a version or editing information about a function.

The editor role also includes all viewer role permissions.

admin

The user with the admin role can manage access rights to resources, such as allow other users to invoke functions or work with their versions.

The admin role also includes all editor role permissions.