Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Handling secrets that are available in the public domain
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Groups of users
      • Creating a group
      • Setting up group access bindings
      • Granting group permissions
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for service accounts
      • Creating static access keys
      • Deleting static access keys
      • Getting the service account ID
      • Deleting a service account
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
      • Deleting authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • Identity federations
    • Quotas and limits
  • How to use Yandex Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
        • createForServiceAccount
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • AccessKey
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
      • Federation
        • Overview
        • list
        • get
        • listUserAccounts
        • delete
        • addUserAccounts
        • update
        • listOperations
        • create
      • Certificate
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on one page
  1. Concepts
  2. Overview

Yandex Identity and Access Management overview

Written by
Yandex Cloud
  • Resource access
  • Accounts in Yandex Cloud
    • Yandex account
    • Service account
    • Federated account
  • Authorization keys
  • Authorization

The IAM service controls access to resources and lets you configure access rights. You determine who should have rights for a certain resource and what these rights are, while IAM grants access according to the assigned rights.

With IAM, you can:

  • Grant access to resources.
  • Manage accounts in Yandex Cloud.
  • Manage authorization keys.
  • Logging in to Yandex Cloud.

Resource access

To grant a user access to a resource, you assign them roles for the resource. Each role consists of a set of permissions that describe operations that can be performed with the resource.

Before performing an operation with a certain resource (for example, creating a VM), Yandex Cloud sends a request to the IAM service to check whether this operation is allowed. IAM compares the list of required permissions to the list of permissions granted to the user who is performing this operation. If some of the permissions are missing, the operation is not allowed and Yandex Cloud returns an error. For more information, see How access management works in Yandex Cloud.

Accounts in Yandex Cloud

To identify users performing operations with resources, use Yandex accounts, service accounts, or federated accounts.

Note

Billing accounts aren't used for managing resources in Yandex Cloud and aren't part of IAM. For more information, see Billing accounts in the documentation.

Yandex account

Yandex account: Your Yandex or Yandex 360 account.

Note

To better safeguard your resources from unauthorized access, we recommend enabling two-factor authentication in Yandex.Passport. Use this method to secure your own account and ask every user you add to your cloud to enable two-factor authentication as well.

Service account

A service account is an account that can be used by a program to manage resources in Yandex Cloud.

By using service accounts you can flexibly configure access rights to resources for programs you wrote. For more information, see Service accounts.

Federated account

A federated account is a user account from an identity federation, like Active Directory.

By using identity federations, a company can set up Single Sign-On, which is authentication in Yandex Cloud via their server. This lets company employees use their corporate accounts to access Yandex Cloud.

For more information, see SAML-compatible identity federations.

Authorization keys

There are three different kinds of authorization keys in Yandex Cloud:

  • API keys: Used instead of IAM tokens for simplified authorization.
  • Authorized keys: Used to obtain IAM tokens for service accounts.
  • Static access keys: Used in services with AWS-compatible APIs.

These keys are currently only used for service accounts.

Authorization

The user must pass authentication so that IAM can authorize them (i.e., check whether the user has rights). Authentication is performed in different ways, depending on the type of account and the interface used. For more information, see Authorization in Yandex Cloud.

Was the article helpful?

Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
In this article:
  • Resource access
  • Accounts in Yandex Cloud
  • Yandex account
  • Service account
  • Federated account
  • Authorization keys
  • Authorization