Assigning roles to a service account
This section describes how to assign a role to a service account for a resource. To assign another user a role to a service account like to a resource, follow the instructions in Setting up access rights for a service account.
A service account can only be assigned roles for the resources of the cloud that the service account belongs to.
In the management console, you can only assign a role for the folder where the service account was created. To assign it a role for another resource, use the CLI or API.
To assign a role for the folder where the service account was created:
- Select a folder.
- Go to the Service accounts tab.
- Click next to the service account and select Edit service account.
- Click Add role and select a role.
- Click Save.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.
To assign the service account a role for a resource, run:
yc <SERVICE-NAME> <RESOURCE> add-access-binding <RESOURCE-NAME>|<RESOURCE-ID> \
--role <ROLE-ID> \
--subject serviceAccount:<SERVICE-ACCOUNT-ID>
where:
<SERVICE-NAME>is the name of the service that the resource belongs to (for example,resource-manager).<RESOURCE>is the resource category, for examplecloud.<RESOURCE-NAME>is the name of the resource. You can specify a resource by its name or ID.<RESOURCE-ID>is the resource ID.<ROLE-ID>is the role ID, for exampleresource-manager.clouds.owner.<SERVICE-ACCOUNT-ID>is the identifier of the service account assigned the role.
For example, to assign the viewer role to a service account for the folder my-folder:
-
Find out the service account ID by its name:
$ yc iam service-account get my-robot id: aje6o61dvog2h6g9a33s folder_id: b1gvmob95yysaplct532 created_at: "2018-10-15T18:01:25Z" name: my-robotIf you don't know the name of the service account, get a list of service accounts with their IDs:
$ yc iam service-account list +----------------------+------------------+-----------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-----------------+ | aje6o61dvog2h6g9a33s | my-robot | my description | +----------------------+------------------+-----------------+ -
Assign a role to the
my-robotservice account using its ID:$ yc resource-manager folder add-access-binding my-folder \ --role viewer \ --subject serviceAccount:aje6o61dvog2h6g9a33s
-
Get the ID of the folder with service accounts.
-
Get a list of folder service accounts to find out their IDs:
$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -H "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}" { "serviceAccounts": [ { "id": "ajebqtreob2dpblin8pe", "folderId": "b1gvmob95yysaplct532", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] } -
Create a request body, for example, in a
body.jsonfile. Set theactionproperty toADDand specify theserviceAccounttype and service account ID in thesubjectproperty:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "ajebqtreob2dpblin8pe", "type": "serviceAccount" } } } ] } -
Assign a role, say, for the folder with the
b1gvmob95yysaplct532ID:$ export FOLDER_ID=b1gvmob95yysaplct532 $ export IAM_TOKEN=CggaATEVAgA... $ curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"