Granting and revoking service access
Note
This feature is in the Preview stage.
In Yandex Identity and Access Management, you can grant and revoke service access to resources in the cloud.
Service access can be managed by users with the admin or owner roles for the cloud.
Granting access to a service
To grant access to cloud resources to a service:
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The cloud specified in the CLI profile is used by default. You can specify a different cloud in the --cloud-id
parameter.
-
View the description of the CLI command for granting access to cloud resources to a service:
yc iam service-control enable --help
-
Get a list of services whose access can be managed.
-
Run the command by providing the ID of the service to which you want to grant access to cloud resources:
yc iam service-control enable <service_ID>
Result:
done (31s) service_id: mdb resource: id: b1gmgc24pte8******** type: resource-manager.cloud updated_at: "2024-03-12T13:21:12.331340Z" status: ENABLED
Use the enable REST API method for the ServiceControl resource or the ServiceControlService/Enable gRPC API call.
Revoking service access
You can revoke a service's access to the cloud only if that service does not have any resources linked to those of another service in the cloud. If there are such resources, delete them first, or suspend the service's access instead of revoking it.
To revoke access to cloud resources from a service:
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The cloud specified in the CLI profile is used by default. You can specify a different cloud in the --cloud-id
parameter.
-
View the description of the CLI command for revoking access to cloud resources from a service:
yc iam service-control disable --help
-
Get a list of services whose access can be managed.
-
Run the command by providing the ID of the service from which you want to revoke access to cloud resources:
yc iam service-control disable <service_ID>
Result:
done (17s) service_id: mdb resource: id: b1gmgc24pte8******** type: resource-manager.cloud updated_at: "2024-03-13T09:40:40.339678Z" status: DISABLED
Use the disable REST API method for the ServiceControl resource or the ServiceControlService/Disable gRPC API call.