Assigning roles
To provide access to a resource, assign the subject a role to the resource itself or a resource from which access privileges are inherited, such as a folder or a cloud. For more information, see How access management works in Yandex Cloud.
Assigning a role to a user with a Yandex account
This section describes how to assign a role to a user with a Yandex account. The examples below show how to assign a role to a service account, federated user, or all users at once.
In the management console, you can only assign a role for a cloud or folder:
-
Add the user to the cloud via Yandex Cloud Organization or Cloud Console.
-
Assign the user a role in the cloud:
- In the management console
, select a cloud. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click
- Click Save.
- In the management console
-
Assign the user a role in the folder:
- In the management console
, go to the appropriate folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click
- Click Save.
- In the management console
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Select a role from the Yandex Cloud role reference.
-
Assign the role using the command:
yc <service_name> <resource_category> add-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject userAccount:<user_ID>
Where:
<service_name>
: Name of the service to whose resource the role is assigned, e.g.,resource-manager
.
*<resource_category>
: Resource category, e.g.,cloud
.<resource_name_or_ID>
: Resource name or ID. You can specify a resource by its name or ID.--role
: Role ID, e.g.,resource-manager.clouds.owner
.--subject userAccount
: ID of the user account to which the role is assigned.
For example, assign the
viewer
role for themycloud
cloud:yc resource-manager cloud add-access-binding mycloud \ --role viewer \ --subject userAccount:aje6o61dvog2********
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Add the resource parameters to the configuration file, specify the required role and a list of cloud users:
cloud_id
: Cloud ID. You can also assign a role in an individual folder. To do this, specifyfolder_id
instead ofcloud_id
and the required folder ID in the resource parameters.role
: Role being assigned. This is a required parameter.members
: List of users or service account the role is being assigned to, specified asuserAccount:<user_ID>
orserviceAccount:<service_account_ID>
. This is a required parameter.
Here is a sample configuration file structure:
resource "yandex_resourcemanager_cloud_iam_binding" "admin" { cloud_id = "<cloud_ID>" role = "<role>" members = [ "serviceAccount:<service_account_ID>", "userAccount:<user_ID>", ] }
For more information about the parameters of the
yandex_resourcemanager_cloud_iam_binding
resource, see the provider documentation . -
Make sure the configuration files are correct.
-
In the command line, go to the directory where you created the configuration file.
-
Run the check using the command:
terraform plan
If the configuration is described correctly, the terminal displays a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
- If there are no errors in the configuration, run the terraform apply command
terraform apply
- Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this [CLI] command (../../../cli/quickstart.md):yc resource-manager folder list-access-bindings <folder_name_or_ID>
Use the updateAccessBindings
REST API method for the respective resource.
-
Select a role from the Yandex Cloud role reference.
-
Create the request body, for example, in the
body.json
file. Set theaction
property toADD
and specify theuserAccount
type and user ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "gfei8n54hmfh********", "type": "userAccount" } } } ] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
For the detailed guide on how to assign a role to a resource, see:
Assign multiple roles
- In the management console
, go to the appropriate folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click
- Repeat this step as many times as you need to add all the required roles.
- Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The add-access-binding
command allows you to add only one role. You can assign multiple roles using the set-access-binding
command.
Alert
The set-access-binding
command completely rewrites the access rights to the resource. All current resource roles will be deleted.
For example, to assign multiple roles for a folder:
-
Make sure the resource has no roles assigned that you would rather not lose:
yc resource-manager folder list-access-binding my-folder
-
Assign roles. For example, assign the
editor
role to one user and theviewer
role to another user:yc resource-manager folder set-access-bindings my-folder \ --access-binding role=editor,subject=userAccount:gfei8n54hmfh******** --access-binding role=viewer,subject=userAccount:helj89sfj80a********
-
To assign the
editor
role to one user and theviewer
role to another user, add multiple access bindings to the request body file inaccessBindingDeltas
.body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "gfei8n54hmfh********", "type": "userAccount" } } },{ "action": "ADD", "accessBinding": { "roleId": "viewer", "subject": { "id": "helj89sfj80a********", "type": "userAccount" } } }] }
-
Assign the specified roles, e.g., for the folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
You can also assign roles using the setAccessBindings REST API method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.
Alert
The setAccessBindings
method completely rewrites access permissions to the resource. All current resource roles will be deleted.
-
List new access bindings in the request body.
body.json:
{ "accessBindings": [{ "roleId": "editor", "subject": { "id": "ajei8n54hmfh********", "type": "userAccount" } },{ "roleId": "viewer", "subject": { "id": "helj89sfj80a********", "type": "userAccount" } }] }
-
Assign roles:
export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:setAccessBindings"
Resource access for a service account
You can assign roles to a service account for any resources in any cloud if these resources belong to the same organization as the service account. You can also assign roles to a service account for the organization.
Assigning a role for a resource
Child resources inherit access permissions from their parent resources. For example, if a service account is assigned a role for a cloud, the service account will be granted the appropriate permissions to all resources in all folders of this cloud.
You assign roles to a service account the same way as to a user account.
To assign a service account a role for a cloud or folder:
- In the management console
, select the appropriate cloud or folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select Service accounts.
- Select the required service account from the list or use the search.
- Click
- Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign a service account a role for a cloud or folder, run this command:
yc resource-manager <resource_category> add-access-binding <resource_name_or_ID> \
--role <role_ID> \
--subject serviceAccount:<service_account_ID>
Where:
<resource_category>
:Cloud
to assign a cloud role, orfolder
to assign a folder role.<resource_name_or_ID>
: Name or ID of the resource the role is assigned for.--role
: Role ID, e.g.,viewer
.--subject serviceAccount
: ID of the service account which is being assigned the role.
For example, to assign a service account the viewer
role for the my-folder
folder:
-
Select a role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Find out the service account ID by its name:
yc iam service-account get my-robot
Result:
id: aje6o61dvog2******** folder_id: b1gvmob95yys******** created_at: "2018-10-15T18:01:25Z" name: my-robot
If you don't know the name of the service account, get a list of service accounts with their IDs:
yc iam service-account list
Result:
+----------------------+------------------+-----------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-----------------+ | aje6o61dvog2******** | my-robot | my description | +----------------------+------------------+-----------------+
-
Assign the
viewer
role to themy-robot
service account using its ID:yc resource-manager folder add-access-binding my-folder \ --role viewer \ --subject serviceAccount:aje6o61dvog2********
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
Here is an example of the configuration file structure:
resource "yandex_resourcemanager_folder_iam_member" "admin-account-iam" { folder_id = "<folder_ID>" role = "<role>" member = "serviceAccount:<service_account_ID>" }
Where:
folder_id
: Folder ID. This is a required parameter.role
: Role being assigned. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference. This is a required parameter.member
: ID of the service account the role is assigned to. It should be specified inserviceAccount:<service_account_ID>
format. This is a required parameter.
For more information about resources you can create with Terraform, see the provider documentation
. -
Make sure the configuration files are valid.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-
To assign the service account a role for a cloud or folder, use the updateAccessBindings
REST API method for the Cloud or Folder resource:
-
Select a role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Get the ID of the service accounts folder.
-
Get an IAM token required for authorization in the Yandex Cloud API.
-
Get a list of folder service accounts to find out their IDs:
export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl -H "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2d********", "folderId": "b1gvmob95yys********", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] }
-
Create the request body, for example, in the
body.json
file. Set theaction
property toADD
and theroleId
property to the appropriate role, such aseditor
, and specify theserviceAccount
type and service account ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "ajebqtreob2d********", "type": "serviceAccount" } } }] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
Assigning a role for an organization
Access permissions are inherited from an organization by all resources created in the organization. For example, if a service account is assigned a role for an organization, the service account will be granted the appropriate permissions to all resources in all clouds of this organization.
To grant a service account access permissions to an organization, you need the organization-manager.admin
role or higher.
-
Log in
as the organization administrator or owner. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select
. -
In the Account type filter, select
Service accounts
. -
If the respective service account has at least one role, select it from the list or use the search bar. In the line with the account name, click
If the service account is not on the list, click Assign bindings in the top-right corner. In the window that opens, go to Service accounts and select the appropriate account from the list or use the search bar.
-
Click
You can find the description of the available roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign a service account a role for an organization, run this command:
yc organization-manager organization add-access-binding <organization_name_or_ID> \
--role <role_ID> \
--subject serviceAccount:<service_account_ID>
Where:
<organization_name_or_ID>
: Technical name or ID of the organization.--role
: Role ID, e.g.,viewer
.--subject serviceAccount
: ID of the service account which is being assigned the role.
For example, to assign a service account the viewer
role for the MyOrg
organization:
-
Select a role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Get a list of available organizations to find out their IDs and technical names:
yc organization-manager organization list
Result:
+---------------------------------+---------------------------------+----------------------+ | ID | NAME | TITLE | +---------------------------------+---------------------------------+----------------------+ | bpf1smsil5q0******** | hdt5j5uw******** | MyOrg | +---------------------------------+---------------------------------+----------------------+
The organization's technical name is in the
NAME
column and its ID is in theID
column. -
Find out the service account ID by its name:
yc iam service-account get my-robot
Result:
id: aje6o61dvog2******** folder_id: b1gvmob95yys******** created_at: "2018-10-15T18:01:25Z" name: my-robot
If you do not know the name of the service account, get a complete list of service accounts with their IDs:
yc iam service-account list
Result:
+----------------------+------------------+-----------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-----------------+ | aje6o61dvog2******** | my-robot | my description | +----------------------+------------------+-----------------+
-
Assign the
my-robot
service account theviewer
role for an organization with thebpf1smsil5q0********
ID:yc organization-manager organization add-access-binding bpf1smsil5q0******** \ --role viewer \ --subject serviceAccount:aje6o61dvog2********
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
In the configuration file, describe the parameters of the resources you want to create:
Here is an example of the configuration file structure:
resource "yandex_organizationmanager_organization_iam_binding" "editor" { organization_id = "<organization_ID>" role = "<role>" members = [ "serviceAccount:<service_account_ID>", ] }
Where:
organization_id
: Organization ID. This is a required parameter.role
: Role being assigned. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference. For each role, you can only use oneyandex_organization manager_organization_iam_binding
. This is a required parameter.members
: ID of the service account the role is being assigned to. It should be specified inserviceAccount:<service_account_ID>
format. This is a required parameter.
For more information about resources you can create with Terraform, see the provider documentation
. -
Make sure the configuration files are valid.
-
In the command line, go to the directory where you created the configuration file.
-
Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of the assigned roles. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified organization. You can check the new resource using the management console
or this CLI command:yc organization-manager organization list-access-bindings <organization_name_or_ID>
-
To assign the service account a role for the organization, use the updateAccessBindings REST API method for the Organization resource:
-
Select a role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Get the ID of the service accounts folder.
-
Get an IAM token for authorization in the Yandex Cloud API.
-
Get a list of folder service accounts to find out their IDs:
export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl -H "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2d********", "folderId": "b1gvmob95yys********", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] }
-
Get a list of organizations to find out their IDs:
export IAM_TOKEN=CggaATEVAgA... curl -H "Authorization: Bearer ${IAM_TOKEN}" \ -X GET "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations"
Result:
{ "organizations": [ { "id": "bpfaidqca8vd********", "createdAt": "2023-04-07T08:11:54.313033Z", "name": "xvdq9q22********", "title": "MyOrg" } ] }
-
Create the request body, for example, in the
body.json
file. Set theaction
property toADD
and theroleId
property to the appropriate role, such asviewer
, and specify theserviceAccount
type and service account ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "viewer", "subject": { "id": "ajebqtreob2d********", "type": "serviceAccount" } } }] }
-
Assign a role to a service account. For example, for an organization with the
bpfaidqca8vd********
ID:export ORGANIZATION_ID=bpfaidqca8vd******** export IAM_TOKEN=CggaATEVAgA... curl -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ -X POST "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"
Resource access for a federated user
In the management console, you can assign a federated user a role for an individual cloud or folder.
The role assignment procedure is the same as for a user with a Yandex account. The user's federation name is shown next to the username.
In the management console, you can only assign a role for a cloud or folder:
-
Assign the user a role in the cloud:
- In the management console
, select a cloud. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click
- Click Save.
- In the management console
-
Assign the user a role in the folder:
- In the management console
, go to the appropriate folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click
- Click Save.
- In the management console
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Select a role from the Yandex Cloud role reference.
-
Assign the role using the command:
yc <service_name> <resource_category> add-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject federatedUser:<user_ID>
Where:
<service_name>
: Name of the service to whose resource the role is assigned, e.g.,resource-manager
.<resource_category>
: Resource category, e.g.,cloud
.<resource_name_or_ID>
: Name or ID of the resource. You can specify a resource by its name or ID.--role
: Role ID, e.g.,resource-manager.clouds.owner
.--subject federatedUser
: ID of the user account to which the role is assigned.
For example, assign the
viewer
role for themycloud
cloud:yc resource-manager cloud add-access-binding mycloud \ --role viewer \ --subject federatedUser:aje6o61dvog2********
Use the updateAccessBindings
REST API method for the respective resource.
-
Select a role from the Yandex Cloud role reference.
-
Create the request body, for example, in the
body.json
file. In theaction
property, specifyADD
, and in thesubject
property,federatedUser
as the type and the user ID:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "gfei8n54hmfh********", "type": "federatedUser" } } } ] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
Resource access for a group of users
Assign the group of users a role in the cloud:
- In the management console
, select a cloud. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select Groups.
- Select the group from the list or search by group name.
- Click
- Click Save.
The group name will be displayed in Access bindings in the cloud along with the other users with roles in this cloud.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Select a role from the Yandex Cloud role reference.
-
Assign the role using the command:
yc <service_name> <resource_category> add-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject group:<group_ID>
Where:
<service_name>
: Name of the service to whose resource the role is assigned, e.g.,resource-manager
.<resource_category>
: Resource category, e.g.,cloud
.<resource_name_or_ID>
: Name or ID of the resource. You can specify a resource by its name or ID.--role
: Role ID, e.g.,resource-manager.clouds.owner
.--subject group
: ID of the group the role is assigned to.
For example, assign the
viewer
role for themycloud
cloud:yc resource-manager cloud add-access-binding mycloud \ --role viewer \ --subject group:aje6o61dvog2********
Access to a resource for all users
You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers
or allUsers
.
You can assign any role to the system group, except resource-manager.clouds.owner
and resource-manager.clouds.member
.
Alert
Do not assign a system group the editor
or admin
role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex Cloud at your expense.
For example, allow any authenticated user to view folder information:
- In the management console
, go to the appropriate folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select Public.
- Select the
All authenticated users
group. - Click
- Select the
resource-manager.viewer
role. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
Assign the viewer
for the my-folder
folder. Set the subject type to system
and its ID to allAuthenticatedUsers
:
yc resource-manager folder add-access-binding my-folder \
--role viewer \
--subject system:allAuthenticatedUsers
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Alert
Do not create the resource together with the yandex_resourcemanager_folder_iam_policy
resource. They will conflict with each other.
To assign a role to a folder created using Terraform:
-
Describe the parameters of the folder role in a configuration file:
-
folder_id
: ID of the folder to grant permissions for. This is a required parameter. -
role
: Role being assigned. This is a required parameter.Note
For each role, you can only use one
yandex_resourcemanager_folder_iam_member
resource. -
member
: User to assign the role to. To add all users, create an entry in the formatsystem:<allUsers|allAuthenticatedUsers>
, where<allUsers|allAuthenticatedUsers>
is one of system groups. This is a required parameter.
Here is an example of the configuration file structure:
... data "yandex_resourcemanager_folder" "project1" { folder_id = "<folder_ID>" } resource "yandex_resourcemanager_folder_iam_member" "viewer" { folder_id = "${data.yandex_resourcemanager_folder_iam_member.project1.id}" role = "viewer" member = "system:allUsers" } ...
For more information about the
yandex_resourcemanager_folder_iam_member
resource parameters in Terraform, see the provider documentation . -
-
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.You can check the folder update using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-
Create a request body, for example, in the
body.json
file. InroleId
, assign theviewer
role. In thesubject
property, specify thesystem
type and theallAuthenticatedUsers
ID:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "viewer", "subject": { "id": "allAuthenticatedUsers", "type": "system" } } }] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"