Assigning roles to a service account

Written by

This section describes how to assign a role to a service account for a resource. To assign another user a role to a service account like to a resource, follow the instructions in Setting up access rights for service accounts.

A service account can only be assigned roles for the resources of the cloud that the service account belongs to.

In the management console, you can only grant a service account roles to folders in the same cloud as the service account's folder and to the cloud itself. To assign it a role for another resource, use the CLI or API.

Management console

CLI

API

Terraform

You assign roles to a service account the same way as to a user account.

To assign a service account a role for the folder:

In the management console, go to the desired folder.
Go to the Access rights tab.
Click Assign roles.
In the Configure access rights window, click Select user.
Go to the Service accounts tab.
Select a service account from the list or use the search.
Click Add role.
Select a role in the folder.
Click Save.

If you don't have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign the service account a role for a resource, run:

yc <service-name> <resource> add-access-binding <resource-name>|<resource-id> \
  --role <role-id> \
  --subject serviceAccount:<service-account-id>

Where:

<service-name>: The name of the service whose resource a role is assigned for (for example, resource-manager).
<resource>: The resource category, for example, cloud.
<resource-name>: The name of the resource. You can specify a resource by its name or ID.
<resource-id>: The resource ID.
<role-id>: The role ID, for example, resource-manager.clouds.owner.
<service-account-id>: The identifier of the service account assigned the role.

For example, to assign a service account the viewer role for the my-folder folder:

Find out the service account ID by its name:

yc iam service-account get my-robot

Result:

id: aje6o61dvog2h6g9a33s
folder_id: b1gvmob95yysaplct532
created_at: "2018-10-15T18:01:25Z"
name: my-robot

If you don't know the name of the service account, get a list of service accounts with their IDs:

yc iam service-account list

Result:

+----------------------+------------------+-----------------+
|          ID          |       NAME       |   DESCRIPTION   |
+----------------------+------------------+-----------------+
| aje6o61dvog2h6g9a33s | my-robot         | my description  |
+----------------------+------------------+-----------------+

Assign a role to the my-robot service account using its ID:

yc resource-manager folder add-access-binding my-folder \
  --role viewer \
  --subject serviceAccount:aje6o61dvog2h6g9a33s

Get the ID of the folder with service accounts.

Get a list of folder service accounts to find out their IDs:

export FOLDER_ID=b1gvmob95yysaplct532
export IAM_TOKEN=CggaATEVAgA...
curl -H "Authorization: Bearer ${IAM_TOKEN}" \
  "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"

Result:

{
 "serviceAccounts": [
  {
   "id": "ajebqtreob2dpblin8pe",
   "folderId": "b1gvmob95yysaplct532",
   "createdAt": "2018-10-18T13:42:40Z",
   "name": "my-robot",
   "description": "my description"
  }
 ]
}

Create a request body, for example, in a body.json file. Set the action property to ADD and specify the serviceAccount type and service account ID in the subject property:

body.json:

{
    "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
            "roleId": "editor",
            "subject": {
                "id": "ajebqtreob2dpblin8pe",
                "type": "serviceAccount"
                }
            }
        }
    ]
}

Assign a role, say, for the folder with the b1gvmob95yysaplct532 ID:

export FOLDER_ID=b1gvmob95yysaplct532
export IAM_TOKEN=CggaATEVAgA...
curl -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer ${IAM_TOKEN}" \
  -d '@body.json' \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

If you don't have Terraform, install it and configure the Yandex Cloud provider.

In the configuration file, describe the parameters of resources that you want to create:
- folder_id: ID of the folder. Required parameter.
- role: The role assigned. Required parameter.
- members: List of users or service account the role is being assigned to. Specified in the following format: userAccount:<user ID> or serviceAccount:<service account ID>. Required parameter.
```
resource "yandex_resourcemanager_folder_iam_binding" "admin-account-iam" {
  folder_id   = "<folder ID>"
  role        = "<role>"
  members     = [
    "serviceAccount:<Service account ID>",
  ]
}
```
For more information about the parameters of the yandex_resourcemanager_folder_iam_binding resource, see the provider documentation.
Make sure that the configuration files are correct.
1. In the command line, go to the directory where you created the configuration file.
2. Run the check using the command:
```
terraform plan
```
If the configuration is described correctly, the terminal displays a list of created resources and their parameters. If the configuration contain errors, Terraform will point them out.
Deploy the cloud resources.
1. If the configuration doesn't contain any errors, run the command:
```
terraform apply
```
2. Confirm the resource creation: type yes in the terminal and press Enter.
Afterwards, all the necessary resources are created in the specified folder. You can verify that the resource has been created in the management console or with the following CLI command:
```
yc resource-manager folder list-access-bindings <folder name>|<folder ID>
```

Assigning roles to a service account

What's next

Was the article helpful?