Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for a service account
      • Creating static access keys
      • Getting the service account ID
      • Deleting service accounts
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • Identity federations
    • Quotas and limits
  • How to use Yandex Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
        • createForServiceAccount
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • AccessKey
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
      • Federation
        • Overview
        • list
        • get
        • listUserAccounts
        • delete
        • addUserAccounts
        • update
        • listOperations
        • create
      • Certificate
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on the same page
  1. Concepts
  2. How access management works
  3. Overview

How access management works in Yandex Cloud

Written by
Yandex Cloud
  • How are access rights verified?
  • How do I perform access management?
    • Resources that roles can be assigned for
    • Role
    • Subjects that roles are assigned to
    • Assign access rights
    • Inheritance of access rights
    • Access control restrictions in the management console

Here you can learn how to manage access to your resources and how IAM checks access rights for the resources.

How are access rights verified?

All operations in Yandex Cloud are first sent for verification to IAM. For example:

  1. A user requests Yandex Compute Cloud to create a new disk in the default folder.
  2. The service sends a request to IAM to check whether this user is allowed to create disks in this folder.
  3. IAM checks if the user is a member of the cloud with the default folder and has the necessary permissions to create a disk in this folder.
  4. If the user doesn't have any of the permissions, the operation isn't performed and Yandex Cloud returns an error.
    If all the required permissions were granted, IAM reports this to the service.
  5. The service creates a new disk.

checkPermissions.png

How do I perform access management?

Access management in Yandex Cloud leverages the Role Based Access Control (RBAC) policy. To grant users access to a resource, you specify which roles are assigned to them for that resource.

To assign a role, select a resource, choose a role, and describe the subject assigned to the role. This lets you bind access rights to the resource.

You can also assign a role to a parent resource that access rights are inherited from, such as a folder or cloud.

Warning

It usually takes 5 seconds or less to update access rights. If the role was assigned to you, but still you don't have access, try repeating the operation.

For example, you were given the right to create folders in the cloud and you were able to create one folder, but couldn't create another one. This is because the access rights have not yet been updated on the server where the second create folder operation was performed. Try creating the folder again.

Resources that roles can be assigned for

You can currently assign roles for a cloud, folder, and other resources from the list.

If you need to grant access to a resource that isn't on the list (such as a VM), assign the role to the parent resource it inherits permissions from. VM permissions are inherited from their folder.

Role

Resource roles can be assigned by users with the administrator role for the resource, as well as the owners of the cloud that the resource belongs to.

Each role consists of a set of permissions that describe operations that can be performed with the resource. A user can assign a role with only those permissions which are available to themselves. For example, only the user with the cloud owner role can assign this same role. The administrator role is not enough for this.

To find out what roles exist and the permissions they include, see Roles.

Subjects that roles are assigned to

Roles are assigned to subjects. There are four types of subjects:

  • userAccount: A Yandex account added to Yandex Cloud.

  • serviceAccount: A service account created in Yandex Cloud.

    A service account can only be assigned roles for the resources of the cloud that the service account belongs to.

  • federatedUser: A user account from an identity federation, like Active Directory.

    A federated user can only be assigned roles for the resources of the cloud that the federation belongs to.

  • system: A system group.

Assign access rights

Roles to a resource are assigned as a list of role-subject bindings. They are called access bindings. You can add or remove these bindings to control access rights to a resource.

accessBindings.png

Each binding is a single assignment of a role to a subject. To assign a user multiple roles to a resource, set a separate binding for each role.

Inheritance of access rights

If a resource has child resources, all permissions from the parent resource will be inherited by the child resources. For example, if you assign a user a role for a folder where a VM instance resides, all permissions of this role will also apply to the instance.

If a child resource is also assigned some roles, a list of permissions for this resource will be combined with a list of permissions for its parent resource. You can't limit the list of permissions inherited from the parent resource.

Access control restrictions in the management console

Some restrictions apply to assigning roles in the management console:

  • You can't assign roles to a system group.
  • You can only assign cloud and folder roles to users with a Yandex account and federated account.
  • You can only assign a role for the folder where the service account was created.
  • You can't assign roles to multiple subjects at once, unlike in the API or CLI. In the management console, you should first select the subject (user or service account), and then assign roles to it.

See also

For more information about managing access to a specific Yandex Cloud service, see the Access management section in the documentation for that service.

Step-by-step instructions and examples:

  • Assigning roles
  • Revoke a role for a resource
  • Assigning roles to a service account
  • Setting up access rights for service accounts
  • Setting up cloud access rights
  • Setting up folder access rights

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC
In this article:
  • How are access rights verified?
  • How do I perform access management?
  • Resources that roles can be assigned for
  • Role
  • Subjects that roles are assigned to
  • Assign access rights
  • Inheritance of access rights
  • Access control restrictions in the management console