Viewing assigned roles
To view the permissions granted to an account for a resource, retrieve the list of roles assigned for the resource and its parent resources. Assigned roles will be inherited by child resources from their parent resources. For example, if you want to find out what permissions an account has for the folder, look at the roles:
- For that folder.
- For the cloud that the folder belongs to.
- For the organization that the cloud belongs to.
You can view a list of inherited roles for the folder or the cloud in the management console, in the Access bindings section of the corresponding folder or cloud.
In the management console, you can view roles only for the folder, cloud, or organization. To view roles for other resources, use the CLI or API.
To view the roles of a user with a Yandex account, federated user, or service account:
- On the left-hand panel, select a cloud.
- Click the Access bindings tab.
- Find the required user in the list. Assigned roles are specified in the Roles column.
For the service account, in the management console you can only view the roles for the folder where the service account was created (to view roles for other resources, use the CLI or API):
- In the management console
, select the folder the service account belongs to. - At the top of the screen, go to the Service accounts tab.
- The service account's roles for the current folder are listed in the Roles in folder column.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Get your account ID:
-
Get the resource ID or name.
-
View the roles assigned for a resource:
yc <service_name> <resource_category> list-access-bindings <resource_name_or_ID>
Where:
<service_name>
: Name of the service the resource belongs to, e.g.,resource-manager
.<resource_category
: Resource category, e.g.,folder
.<resource_name_or_ID>
: Name or ID of the resource. You can specify a resource by its name or ID.
For example, you can view what roles were assigned for the
default
folder and to whom:yc resource-manager folder list-access-bindings default
Output:
+---------------------+----------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +---------------------+----------------+----------------------+ | editor | serviceAccount | ajepg0mjas06******** | | viewer | userAccount | aje6o61dvog2******** | +---------------------+----------------+----------------------+
In the server response, find all the rows where the subject contains the account ID and the
allUsers
andallAuthenticatedUsers
system groups as subjects. -
Repeat the previous two steps for all the parent resources.
-
Get your account ID:
-
Get the resource ID or name.
-
View who has which roles assigned for working with a resource using the
listAccessBindings
REST API method. For example, to view the roles for theb1gvmob95yys********
folder:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"
Output:
{ "accessBindings": [ { "subject": { "id": "ajei8n54hmfh********", "type": "userAccount" }, "roleId": "editor" } ] }
In the server response, find all the rows where the subject contains the account ID and the
allUsers
andallAuthenticatedUsers
system groups as subjects. -
Repeat the previous two steps for all the parent resources.