Revoke a role for a resource
If you want to prevent a subject from accessing a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information, see How access management works in Yandex Cloud.
Revoking a role
In the management console, you can only revoke a cloud or a folder role.
-
To revoke a role only in the folder:
- On the start page of the management console, select the folder.
- Go to Access rights.
- Select a user from the list and click
- Click Edit roles.
- Click
next to the role you wish to revoke. - Click Save.
-
To revoke a role in the cloud:
- On the start page of the management console, select the cloud.
- Go to Access rights.
- Select a user from the list and click
- Click Edit roles.
- Click
next to the role you wish to revoke. - Click Save.
-
To revoke all the folder or cloud roles at once:
- On the management console start page, select a folder or a cloud.
- Go to the Access bindings tab.
- Select a user from the list and click
- If you want to revoke all of the user's roles in the cloud, click Revoke roles and confirm the revocation.
If you don't have the Yandex Cloud command line interface yet, install and initialize it.
To revoke a role from a subject, delete the corresponding access binding for the appropriate resource:
-
View the roles assigned for a resource:
yc <service-name> <resource> list-access-bindings <resource-name>|<resource-id>
Where:
<service-name>
: The name of the service that the resource belongs to (for example,resource-manager
).<resource>
: The resource category, such asfolder
.<resource-name>
: The name of the resource. You can specify a resource by its name or ID.<resource-id>
: The resource ID.
For example, you can view what roles were assigned for the
default
folder and to whom:yc resource-manager folder list-access-bindings default
Result:
+---------------------+----------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +---------------------+----------------+----------------------+ | editor | serviceAccount | ajepg0mjas06siuj5usm | | viewer | userAccount | aje6o61dvog2h6g9a33s | +---------------------+----------------+----------------------+
-
To delete an access binding, run:
yc <service-name> <resource> remove-access-binding <resource-name>|<resource-id> \ --role <role-id> \ --subject <subject-type>:<subject-id>
Where:
<role-id>
: The ID of the role to revoke (such asresource-manager.clouds.owner
).<subject-type>
: The subject type to revoke a role from.<subject-id>
: The subject ID.
To revoke a resource role from a subject, delete the corresponding access binding:
-
View what roles were assigned for resources and to whom using the
listAccessBindings
method. For example, to view the roles for the folderb1gvmob95yysaplct532
:export FOLDER_ID=b1gvmob95yysaplct532 export IAM_TOKEN=CggaATEVAgA... curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"
Result:
{ "accessBindings": [ { "subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" }, "roleId": "editor" } ] }
-
Create a request body, for example, in a
body.json
file. In the request body, specify which access binding to delete. For example, revoke theeditor
role from userajei8n54hmfhuk5nog0g
:body.json:
{ "accessBindingDeltas": [{ "action": "REMOVE", "accessBinding": { "roleId": "editor", "subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" } } } ] }
-
Revoke the role by deleting the specified access binding:
export FOLDER_ID=b1gvmob95yysaplct532 export IAM_TOKEN=CggaATEVAgA... curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
To revoke a resource role from a subject, find the resource description in the configuration file:
resource "yandex_resourcemanager_cloud_iam_binding" "admin" { cloud_id = "<cloud ID>" role = "<role>" members = [ "serviceAccount:<service account ID>", "userAccount:<user ID>", ] }
-
Delete the entry with information about the subject which rights are to be revoked from the
members
list of users.For more information about the parameters of the
yandex_resourcemanager_cloud_iam_binding
resource, see the provider documentation. -
Make sure that the configuration files are correct.
- In the command line, go to the directory where you created the configuration file.
- Run the check using the command:
terraform plan
If the configuration is described correctly, the terminal displays a list of created resources and their parameters. If the configuration contain errors, Terraform will point them out.
-
Deploy the cloud resources.
-
If the configuration doesn't contain any errors, run the following command:
terraform apply
-
Confirm the resource creation: type
yes
in the terminal and press Enter.Afterwards, all the necessary resources are created in the specified folder. You can verify that the resource has been created in the management console or via the following CLI command:
yc resource-manager cloud list-access-bindings <cloud name>|<cloud ID>
-