Revoke a role for a resource

Written by

Revoking a role

If you want to prevent a subject from accessing a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information, see How access management works in Yandex Cloud.

Revoking a role

Management console

CLI

API

Terraform

In the management console, you can only revoke a cloud or a folder role.

To revoke a role only in the folder:
1. On the start page of the management console, select the folder.
2. Go to Access rights.
3. Select a user from the list and click next to the username.
4. Click Edit roles.
5. Click next to the role you wish to revoke.
6. Click Save.
To revoke a role in the cloud:
1. On the start page of the management console, select the cloud.
2. Go to Access rights.
3. Select a user from the list and click next to the username.
4. Click Edit roles.
5. Click next to the role you wish to revoke.
6. Click Save.
To revoke all the folder or cloud roles at once:
1. On the management console start page, select a folder or a cloud.
2. Go to the Access bindings tab.
3. Select a user from the list and click next to the username.
4. If you want to revoke all of the user's roles in the cloud, click Revoke roles and confirm the revocation.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

To revoke a role from a subject, delete the corresponding access binding for the appropriate resource:

View the roles assigned for a resource:

yc <service-name> <resource> list-access-bindings <resource-name>|<resource-id>

Where:

<service-name>: The name of the service that the resource belongs to (for example, resource-manager).
<resource>: The resource category, such as folder.
<resource-name>: The name of the resource. You can specify a resource by its name or ID.
<resource-id>: The resource ID.

For example, you can view what roles were assigned for the default folder and to whom:

yc resource-manager folder list-access-bindings default

Result:

+---------------------+----------------+----------------------+
|       ROLE ID       |  SUBJECT TYPE  |      SUBJECT ID      |
+---------------------+----------------+----------------------+
| editor              | serviceAccount | ajepg0mjas06siuj5usm |
| viewer              | userAccount    | aje6o61dvog2h6g9a33s |
+---------------------+----------------+----------------------+

To delete an access binding, run:
```
yc <service-name> <resource> remove-access-binding <resource-name>|<resource-id> \
    --role <role-id> \
    --subject <subject-type>:<subject-id>
```
Where:
- <role-id>: The ID of the role to revoke (such as resource-manager.clouds.owner).
- <subject-type>: The subject type to revoke a role from.
- <subject-id>: The subject ID.

To revoke a resource role from a subject, delete the corresponding access binding:

View what roles were assigned for resources and to whom using the listAccessBindings method. For example, to view the roles for the folder b1gvmob95yysaplct532:

export FOLDER_ID=b1gvmob95yysaplct532
export IAM_TOKEN=CggaATEVAgA...
curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"

Result:

{
  "accessBindings": [
  {
    "subject": {
      "id": "ajei8n54hmfhuk5nog0g",
      "type": "userAccount"
    },
    "roleId": "editor"
  }
  ]
}

Create a request body, for example, in a body.json file. In the request body, specify which access binding to delete. For example, revoke the editor role from user ajei8n54hmfhuk5nog0g:

body.json:

{
    "accessBindingDeltas": [{
        "action": "REMOVE",
        "accessBinding": {
            "roleId": "editor",
            "subject": {
                "id": "ajei8n54hmfhuk5nog0g",
                "type": "userAccount"
                }
            }
        }
    ]
}

Revoke the role by deleting the specified access binding:

export FOLDER_ID=b1gvmob95yysaplct532
export IAM_TOKEN=CggaATEVAgA...
curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ${IAM_TOKEN}" \
  -d '@body.json' \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To revoke a resource role from a subject, find the resource description in the configuration file:

resource "yandex_resourcemanager_cloud_iam_binding" "admin" {
    cloud_id    = "<cloud ID>"
    role        = "<role>"
    members     = [
    "serviceAccount:<service account ID>",
    "userAccount:<user ID>",
    ]
}

Delete the entry with information about the subject which rights are to be revoked from the members list of users.

For more information about the parameters of the yandex_resourcemanager_cloud_iam_binding resource, see the provider documentation.
Make sure that the configuration files are correct.
1. In the command line, go to the directory where you created the configuration file.
2. Run the check using the command:
```
terraform plan
```
If the configuration is described correctly, the terminal displays a list of created resources and their parameters. If the configuration contain errors, Terraform will point them out.
Deploy the cloud resources.
1. If the configuration doesn't contain any errors, run the following command:
```
terraform apply
```
2. Confirm the resource creation: type yes in the terminal and press Enter.
  
  Afterwards, all the necessary resources are created in the specified folder. You can verify that the resource has been created in the management console or via the following CLI command:
```
yc resource-manager cloud list-access-bindings <cloud name>|<cloud ID>
```

Revoke a role for a resource

Revoking a role

Was the article helpful?