Service control
Note
This feature is in the Preview stage.
Some Yandex Cloud services require access to other services' resources in the user's cloud. For example, Yandex Connection Manager requires permissions to create Yandex Lockbox secrets in the user's cloud to manage database connections, as well as permissions to manage the secrets thus created.
In Yandex Identity and Access Management, you can manage service access to resources in the cloud.
What is service control?
Service control is the whole of the access permissions needed to create and operate the service's resources in the user's cloud. Each Yandex Cloud service access features a set of permissions of its own.
A cloud administrator can grant, revoke, suspend, and restore a particular service's access to resources in the cloud. For example, you can grant access only to services used in your cloud, and revoke access from unused services.
A service has permissions to resources only in those clouds in which this service was granted access. In clouds where a service's access is revoked or suspended, this service has no permissions for resources.
If a service access vital to the service's operation is revoked or suspended in a given cloud, an attempt to create a resource in this service will be denied. To avoid this, grant access to resources in the cloud to the service.
If a service has resources that use access to other services in the cloud, you cannot revoke access to the cloud from that service. In which case you can suspend service access, but this may cause the resources to malfunction. To revoke a service's access to the cloud, delete from it all the resources using access to resources of other services.
What services can I manage in terms of access?
Currently you can manage the following services in terms of access:
In the future, cloud administrators will be able to manage access of all the services that require permissions to resources of other Yandex Cloud services. With YC CLI, you can get an up-to-date list of services you can manage in terms of access.
Service access can be managed by users with the admin or owner roles for the cloud.