Yandex.Cloud
  • Services
  • Why Yandex.Cloud
  • Solutions
  • Pricing
  • Documentation
  • Contact us
Get started
Yandex Cloud Functions
  • Getting started
    • Overview
    • Creating a function
      • Overview
      • Python
      • Node.js
      • PHP
      • Go
      • Bash
    • Creating a trigger
      • Overview
      • Timer
      • Trigger for Message Queue
      • Trigger for Object Storage
      • Trigger for Container Registry
      • Trigger for Cloud Logs
      • Trigger for Yandex IoT Core
  • Step-by-step instructions
    • All instructions
    • Using functions to get an IAM token for a service account
    • Managing rights to access functions
    • Managing functions
      • Creating a function
      • Managing function versions
      • Working in the code editor
      • Invoking a function
      • Updating a function
      • View monitoring charts
      • Viewing the execution log
      • Delete function
    • Managing triggers
      • Getting information about a trigger
      • Creating a timer
      • Creating a trigger for Message Queue
      • Creating a trigger for Object Storage
      • Creating a trigger for Container Registry
      • Creating a trigger for Cloud Logs
      • Creating a trigger for Yandex IoT Core
      • Updating a trigger
      • Deleting a trigger
  • Concepts
    • Overview
    • Function
    • Invoking a function
    • Runtime environment
      • Overview
      • Environment
      • Execution context
    • Builder
    • Trigger
      • Overview
      • Timer
      • Trigger for Message Queue
      • Trigger for Object Storage
      • Trigger for Container Registry
      • Trigger for Cloud Logs
      • Trigger for Yandex IoT Core
    • Dead Letter Queue
    • Log groups
    • Monitoring
    • Backups
    • Quotas and limits
  • Developing in Node.js
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in Python
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in Go
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in PHP
    • Overview
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
  • Developing in Bash
    • Overview
    • Request handler
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in Java
    • Overview
    • Programming model
      • Overview
      • Function interface
      • YcFunction interface
      • HttpServlet class
      • Spring Boot
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Developing in R
    • Overview
    • Programming model
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
  • Developing in C#
    • Overview
    • Programming model
      • Overview
      • Function interface
      • YcFunction interface
    • Managing dependencies
    • Request handler
    • Invocation context
    • Logging
    • Handling errors
    • Using the SDK
  • Use cases
    • Creating skills for Alice
  • Pricing policy
  • Access management
  • API Functions reference
    • Authentication in the API
    • gRPC
      • Обзор
      • FunctionService
      • OperationService
    • REST
      • Обзор
      • Function
        • Обзор
        • create
        • createVersion
        • delete
        • get
        • getVersion
        • getVersionByTag
        • list
        • listAccessBindings
        • listOperations
        • listRuntimes
        • listTagHistory
        • listVersions
        • removeTag
        • setAccessBindings
        • setTag
        • update
        • updateAccessBindings
  • API Triggers reference
    • Authentication in the API
    • gRPC
      • Обзор
      • TriggerService
      • OperationService
    • REST
      • Обзор
      • Trigger
        • Обзор
        • create
        • delete
        • get
        • list
        • listOperations
        • update
  • Questions and answers
  1. Access management

Access management

  • Assigning roles
  • Roles
    • resource-manager.clouds.member
    • resource-manager.clouds.owner
    • serverless.functions.invoker
    • viewer
    • editor
    • admin

Yandex.Cloud users can only perform operations on resources that are allowed by the roles assigned to them.
If a user doesn't have any roles assigned, almost all operations are forbidden.

To allow access to Cloud Functions service resources (functions and their versions), assign users applicable roles from the list below. For now, a role can be assigned for a parent resource (folder or cloud) or a function.

Note

For more information about role inheritance, see Inheritance of access rights in the Yandex Resource Manager documentation.

Assigning roles

To assign a user a role:

  1. Open the Access management page for the selected cloud. If necessary, switch to another cloud.

  2. Select the user to assign the role to, click , and choose Configure roles.

  3. To add a cloud role, click in the Roles for cloud section.

    To add a folder role, select the folder and click Assign role in the Roles in folders section.

  4. Choose a role from the list.

Roles

The list below shows all roles that are considered when verifying access rights in the Cloud Functions service.

resource-manager.clouds.member

When a new user is added to the cloud, they are automatically assigned the role of cloud member: resource-manager.clouds.member.

Everyone needs this role to access the cloud resources, except the cloud owners and service accounts.

This role alone doesn't give you the right to perform any operations and is only used in combination with other roles, such as admin, editor, or viewer.

resource-manager.clouds.owner

Theresource-manager.clouds.owner is assigned for the cloud and makes the user the owner of the cloud. The owner can perform any operation with the cloud and its resources.

Only the cloud owner can assign users the resource-manager.clouds.owner role.

A cloud must have at least one owner. The sole owner of a cloud may not give up this role.

serverless.functions.invoker

The serverless.functions.invoker role grants permission to run functions.

For now, a role can only be assigned for a parent resource (folder or cloud), and roles are inherited by nested resources.

To find out how to assign this role, see Managing rights to access functions.

viewer

The user with the viewer role can view information about resources, such as the list of functions or their versions and the function execution log.

editor

The user with the editor role can manage functions and their versions, such as creating or deleting a version or editing information about a function.

The editor role also includes all viewer role permissions.

admin

The user with the admin role can manage access rights to resources, such as allow other users to invoke functions or work with their versions.

The admin role also includes all editor role permissions.

In this article:
  • Assigning roles
  • Roles
  • resource-manager.clouds.member
  • resource-manager.clouds.owner
  • serverless.functions.invoker
  • viewer
  • editor
  • admin
Language / Region
Careers
Privacy policy
Terms of use
Brandbook
© 2021 Yandex.Cloud LLC