Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Blog
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
Yandex project
© 2023 Yandex.Cloud LLC
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Handling secrets that are available in the public domain
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Groups of users
      • Creating a group
      • Setting up group access bindings
      • Granting group permissions
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for service accounts
      • Creating static access keys
      • Deleting static access keys
      • Getting the service account ID
      • Deleting a service account
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
      • Deleting authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • Identity federations
    • Quotas and limits
  • How to use Yandex Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
        • createForServiceAccount
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • AccessKey
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
      • Federation
        • Overview
        • list
        • get
        • listUserAccounts
        • delete
        • addUserAccounts
        • update
        • listOperations
        • create
      • Certificate
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on one page
  1. Step-by-step instructions
  2. Roles
  3. Revoking roles

Revoke a role for a resource

Written by
Yandex Cloud
  • Revoking a role

If you want to prevent a subject from accessing a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information, see How access management works in Yandex Cloud.

Revoking a role

Management console
CLI
API
Terraform

In the management console, you can only revoke a cloud or a folder role.

  • To revoke a role only in the folder:

    1. On the start page of the management console, select the folder.
    2. Go to Access rights.
    3. Select a user from the list and click next to the username.
    4. Click Edit roles.
    5. Click next to the role you wish to revoke.
    6. Click Save.
  • To revoke a role in the cloud:

    1. On the start page of the management console, select the cloud.
    2. Go to Access rights.
    3. Select a user from the list and click next to the username.
    4. Click Edit roles.
    5. Click next to the role you wish to revoke.
    6. Click Save.
  • To revoke all the folder or cloud roles at once:

    1. On the management console start page, select a folder or a cloud.
    2. Go to the Access bindings tab.
    3. Select a user from the list and click next to the username.
    4. If you want to revoke all of the user's roles in the cloud, click Revoke roles and confirm the revocation.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

To revoke a role from a subject, delete the corresponding access binding for the appropriate resource:

  1. View the roles assigned for a resource:

    yc <service-name> <resource> list-access-bindings <resource-name>|<resource-id>
    

    Where:

    • <service-name>: The name of the service that the resource belongs to (for example, resource-manager).
    • <resource>: The resource category, such as folder.
    • <resource-name>: The name of the resource. You can specify a resource by its name or ID.
    • <resource-id>: The resource ID.

    For example, you can view what roles were assigned for the default folder and to whom:

    yc resource-manager folder list-access-bindings default
    

    Result:

    +---------------------+----------------+----------------------+
    |       ROLE ID       |  SUBJECT TYPE  |      SUBJECT ID      |
    +---------------------+----------------+----------------------+
    | editor              | serviceAccount | ajepg0mjas06siuj5usm |
    | viewer              | userAccount    | aje6o61dvog2h6g9a33s |
    +---------------------+----------------+----------------------+
    
  2. To delete an access binding, run:

    yc <service-name> <resource> remove-access-binding <resource-name>|<resource-id> \
        --role <role-id> \
        --subject <subject-type>:<subject-id>
    

    Where:

    • <role-id>: The ID of the role to revoke (such as resource-manager.clouds.owner).
    • <subject-type>: The subject type to revoke a role from.
    • <subject-id>: The subject ID.

To revoke a resource role from a subject, delete the corresponding access binding:

  1. View what roles were assigned for resources and to whom using the listAccessBindings method. For example, to view the roles for the folder b1gvmob95yysaplct532:

    export FOLDER_ID=b1gvmob95yysaplct532
    export IAM_TOKEN=CggaATEVAgA...
    curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"
    

    Result:

    {
      "accessBindings": [
      {
        "subject": {
          "id": "ajei8n54hmfhuk5nog0g",
          "type": "userAccount"
        },
        "roleId": "editor"
      }
      ]
    }
    
  2. Create a request body, for example, in a body.json file. In the request body, specify which access binding to delete. For example, revoke the editor role from user ajei8n54hmfhuk5nog0g:

    body.json:

    {
        "accessBindingDeltas": [{
            "action": "REMOVE",
            "accessBinding": {
                "roleId": "editor",
                "subject": {
                    "id": "ajei8n54hmfhuk5nog0g",
                    "type": "userAccount"
                    }
                }
            }
        ]
    }
    
  3. Revoke the role by deleting the specified access binding:

    export FOLDER_ID=b1gvmob95yysaplct532
    export IAM_TOKEN=CggaATEVAgA...
    curl -X POST \
      -H "Content-Type: application/json" \
      -H "Authorization: Bearer ${IAM_TOKEN}" \
      -d '@body.json' \
      "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. To revoke a resource role from a subject, find the resource description in the configuration file:

    resource "yandex_resourcemanager_cloud_iam_binding" "admin" {
        cloud_id    = "<cloud ID>"
        role        = "<role>"
        members     = [
        "serviceAccount:<service account ID>",
        "userAccount:<user ID>",
        ]
    }
    
  2. Delete the entry with information about the subject which rights are to be revoked from the members list of users.

    For more information about the parameters of the yandex_resourcemanager_cloud_iam_binding resource, see the provider documentation.

  3. Make sure that the configuration files are correct.

    1. In the command line, go to the directory where you created the configuration file.
    2. Run the check using the command:
    terraform plan
    

    If the configuration is described correctly, the terminal displays a list of created resources and their parameters. If the configuration contain errors, Terraform will point them out.

  4. Deploy the cloud resources.

    1. If the configuration doesn't contain any errors, run the following command:

      terraform apply
      
    2. Confirm the resource creation: type yes in the terminal and press Enter.

      Afterwards, all the necessary resources are created in the specified folder. You can verify that the resource has been created in the management console or via the following CLI command:

      yc resource-manager cloud list-access-bindings <cloud name>|<cloud ID>
      

Was the article helpful?

Language / Region
Yandex project
© 2023 Yandex.Cloud LLC