Yandex Cloud
  • Services
  • Solutions
  • Why Yandex Cloud
  • Pricing
  • Documentation
  • Contact us
Get started
Language / Region
© 2022 Yandex.Cloud LLC
Yandex Identity and Access Management
  • Getting started
    • How to manage access to resources
    • How to work with service accounts
  • Step-by-step instructions
    • All instructions
    • Users
      • Adding users
      • Getting user ID or email
      • Deleting a user
    • Service accounts
      • Creating a service account
      • Updating a service account
      • Assigning roles to a service account
      • Setting up access rights for a service account
      • Creating static access keys
      • Getting the service account ID
      • Deleting service accounts
    • Roles
      • Assigning roles
      • Viewing assigned roles
      • Revoking roles
    • IAM tokens
      • Getting an IAM token for a Yandex account
      • Getting an IAM token for a service account
      • Getting an IAM token for a federated account
    • Keys
      • Creating API keys
      • Deleting API keys
      • Creating authorized keys
  • Concepts
    • Overview
    • How access management works
      • Overview
      • Roles
      • System groups
      • Resources that roles can be assigned for
    • Authorization
      • Overview
      • IAM token
      • OAuth token
      • API key
      • Authorized keys
      • AWS-compatible access keys
    • Service accounts
    • Identity federations
    • Quotas and limits
  • How to use Yandex Cloud securely
  • Access management
  • Pricing policy
  • API reference
    • Authentication in the API
    • gRPC
      • Overview
      • ApiKeyService
      • IamTokenService
      • KeyService
      • RoleService
      • ServiceAccountService
      • UserAccountService
      • YandexPassportUserAccountService
      • AccessKeyService
      • CertificateService
      • FederationService
      • OperationService
    • REST
      • Overview
      • ApiKey
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • IamToken
        • Overview
        • create
        • createForServiceAccount
      • Key
        • Overview
        • create
        • delete
        • get
        • list
        • listOperations
        • update
      • Role
        • Overview
        • get
        • list
      • ServiceAccount
        • Overview
        • create
        • delete
        • get
        • list
        • listAccessBindings
        • listOperations
        • setAccessBindings
        • update
        • updateAccessBindings
      • UserAccount
        • Overview
        • get
      • YandexPassportUserAccount
        • Overview
        • getByLogin
      • Operation
        • Overview
        • get
      • AccessKey
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
      • Federation
        • Overview
        • list
        • get
        • listUserAccounts
        • delete
        • addUserAccounts
        • update
        • listOperations
        • create
      • Certificate
        • Overview
        • list
        • get
        • delete
        • update
        • listOperations
        • create
  • Questions and answers
    • General questions
    • Logging in and accessing resources
    • All questions on the same page
  1. Step-by-step instructions
  2. Service accounts
  3. Assigning roles to a service account

Assigning roles to a service account

Written by
Yandex Cloud

    This section describes how to assign a role to a service account for a resource. To assign another user a role to a service account like to a resource, follow the instructions in Setting up access rights for service accounts.

    A service account can only be assigned roles for the resources of the cloud that the service account belongs to.

    In the management console, you can assign a service account a role only for the folders that are located in the same folder as the cloud where the service account was created. To assign it a role for another resource, use the CLI or API.

    Management console
    CLI
    API

    To assign the viewer role to a service account for the folder:

    1. In the management console, open the page of the folder to assign the role for.
    2. Go to Access bindings in folder (the Access bindings button in the left panel).
    3. Switch the Inherited roles option to on so that the list shows service accounts that don't belong to the current folder.
    4. Click next to the name of the service account.
    5. Click Edit roles.
    6. Click Add role and select the role you'd like to add.
    7. Click Save.

    If you don't have the Yandex Cloud command line interface yet, install and initialize it.

    The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

    To assign the service account a role for a resource, run:

    yc <service-name> <resource> add-access-binding <resource-name>|<resource-id> \
      --role <role-id> \
      --subject serviceAccount:<service-account-id>
    

    Where:

    • <service-name>: The name of the service whose resource a role is assigned for (for example, resource-manager).
    • <resource>: The resource category, for example, cloud.
    • <resource-name>: The name of the resource. You can specify a resource by its name or ID.
    • <resource-id>: The resource ID.
    • <role-id>: The role ID, for example, resource-manager.clouds.owner.
    • <service-account-id>: The identifier of the service account assigned the role.

    For example, to assign the viewer role to a service account for the my-folder folder:

    1. Find out the service account ID by its name:

      yc iam service-account get my-robot
      

      Result:

      id: aje6o61dvog2h6g9a33s
      folder_id: b1gvmob95yysaplct532
      created_at: "2018-10-15T18:01:25Z"
      name: my-robot
      

      If you don't know the name of the service account, get a list of service accounts with their IDs:

      yc iam service-account list
      

      Result:

      +----------------------+------------------+-----------------+
      |          ID          |       NAME       |   DESCRIPTION   |
      +----------------------+------------------+-----------------+
      | aje6o61dvog2h6g9a33s | my-robot         | my description  |
      +----------------------+------------------+-----------------+
      
    2. Assign a role to the my-robot service account using its ID:

      yc resource-manager folder add-access-binding my-folder \
        --role viewer \
        --subject serviceAccount:aje6o61dvog2h6g9a33s
      
    1. Get the ID of the folder with service accounts.

    2. Get a list of folder service accounts to find out their IDs:

      export FOLDER_ID=b1gvmob95yysaplct532
      export IAM_TOKEN=CggaATEVAgA...
      curl -H "Authorization: Bearer ${IAM_TOKEN}" \
        "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
      

      Result:

      {
       "serviceAccounts": [
        {
         "id": "ajebqtreob2dpblin8pe",
         "folderId": "b1gvmob95yysaplct532",
         "createdAt": "2018-10-18T13:42:40Z",
         "name": "my-robot",
         "description": "my description"
        }
       ]
      }
      
    3. Create a request body, for example, in a body.json file. Set the action property to ADD and specify the serviceAccount type and service account ID in the subject property:

      body.json:

      {
          "accessBindingDeltas": [{
              "action": "ADD",
              "accessBinding": {
                  "roleId": "editor",
                  "subject": {
                      "id": "ajebqtreob2dpblin8pe",
                      "type": "serviceAccount"
                      }
                  }
              }
          ]
      }
      
    4. Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

      export FOLDER_ID=b1gvmob95yysaplct532
      export IAM_TOKEN=CggaATEVAgA...
      curl -X POST \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer ${IAM_TOKEN}" \
        -d '@body.json' \
        "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
      

    What's next

    • Creating static access keys
    • Setting up access rights for service accounts
    • Assign multiple roles at once

    Was the article helpful?

    Language / Region
    © 2022 Yandex.Cloud LLC