Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for a service account
      • Creating static access keys
      • Getting the service account ID
      • Deleting service accounts
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • Identity federations
    • Quotas and limits
  • How to use Yandex Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
        • createForServiceAccount
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • AccessKey
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
      • Federation
        • Overview
        • list
        • get
        • listUserAccounts
        • delete
        • addUserAccounts
        • update
        • listOperations
        • create
      • Certificate
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on the same page
  1. Step-by-step instructions
  2. Roles
  3. Revoking roles

Revoke a role for a resource

Written by
Yandex Cloud
  • Revoking a role

If you wish to deny a subject access to a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information, see How access management works in Yandex Cloud.

Note

If you need to temporarily revoke all access rights from a user with a Yandex account, you can revoke just the resource-manager.clouds.member role. Although the user keeps all the other roles, they can't perform any operations with the cloud resources. When you add the user to the cloud again, the access rights will already be configured.

Revoking a role

Management console
CLI
API

In the management console, you can only revoke a cloud or folder role:

  • To revoke a role only in the folder:

    1. Open the folder page. You can select a folder on the home page of the management console. This page displays folders for the selected cloud.
    2. Go to Access bindings in folder (the Access bindings button in the left panel).
    3. Select the appropriate user in the list and click next to the user's name.
    4. Click Edit roles.
    5. Click next to the role you wish to revoke.
    6. Click Save.
  • To revoke a role in the cloud:

    1. Select the desired cloud.
    2. Go to Access bindings in cloud (the Access bindings button in the left panel).
    3. Select the appropriate user in the list and click next to the user's name.
    4. If you want to revoke all of the user's roles in the cloud, click Revoke roles.
    5. If you want to revoke an individual user's roles in the cloud:
      1. Click Edit roles.
      2. In the Configure access rights window, click next to each role you want to revoke.
      3. Click Save.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

To revoke a role from a subject, delete the corresponding access binding for the appropriate resource:

  1. View roles and their assignees:

    View the roles assigned for a resource:

    yc <service-name> <resource> list-access-bindings <resource-name>|<resource-id>
    

    Where:

    • <service-name>: The name of the service that the resource belongs to (for example, resource-manager).
    • <resource>: The resource category, such as folder.
    • <resource-name>: The name of the resource. You can specify a resource by its name or ID.
    • <resource-id>: The resource ID.

    For example, you can view what roles were assigned for the default folder and to whom:

    yc resource-manager folder list-access-bindings default
    

    Result:

    +---------------------+----------------+----------------------+
    |       ROLE ID       |  SUBJECT TYPE  |      SUBJECT ID      |
    +---------------------+----------------+----------------------+
    | editor              | serviceAccount | ajepg0mjas06siuj5usm |
    | viewer              | userAccount    | aje6o61dvog2h6g9a33s |
    +---------------------+----------------+----------------------+
    
  2. To delete an access binding, run:

    yc <service-name> <resource> remove-access-binding <resource-name>|<resource-id> \
      --role <role-id> \
      --subject <subject-type>:<subject-id>
    

    Where:

    • <role-id>: The ID of the role to revoke (such as resource-manager.clouds.owner).
    • <subject-type>: The subject type to revoke a role from.
    • <subject-id>: The subject ID.

To revoke a resource role from a subject, delete the corresponding access binding:

  1. View what roles were assigned for resources and to whom using the listAccessBindings method. For example, to view the roles for the folder b1gvmob95yysaplct532:

    export FOLDER_ID=b1gvmob95yysaplct532
    export IAM_TOKEN=CggaATEVAgA...
    curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"
    

    Result:

    {
      "accessBindings": [
      {
        "subject": {
          "id": "ajei8n54hmfhuk5nog0g",
          "type": "userAccount"
        },
        "roleId": "editor"
      }
      ]
    }
    
  2. Create a request body, for example, in a body.json file. In the request body, specify which access binding to delete. For example, revoke the editor role from user ajei8n54hmfhuk5nog0g:

    body.json:

    {
        "accessBindingDeltas": [{
            "action": "REMOVE",
            "accessBinding": {
                "roleId": "editor",
                "subject": {
                    "id": "ajei8n54hmfhuk5nog0g",
                    "type": "userAccount"
                    }
                }
            }
        ]
    }
    
  3. Revoke the role by deleting the specified access binding:

    export FOLDER_ID=b1gvmob95yysaplct532
    export IAM_TOKEN=CggaATEVAgA...
    curl -X POST \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer ${IAM_TOKEN}" \
      -d '@body.json' \
      "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    

Was the article helpful?

Language / Region
© 2022 Yandex.Cloud LLC