Yandex Cloud role reference
- Primitive roles
- Service roles
- AI services
- Yandex API Gateway
- Yandex Application Load Balancer
- Yandex Audit Trails
- Yandex Certificate Manager
- Yandex Cloud Backup
- Yandex Cloud Billing
- Yandex Cloud CDN
- Yandex Cloud DNS
- Yandex Cloud Functions
- Yandex Cloud Logging
- Yandex Cloud Marketplace
- Yandex Cloud Organization
- Yandex Cloud Postbox
- Yandex Compute Cloud
- Yandex Connection Manager
- Yandex Container Registry
- Yandex DataLens
- Yandex Data Proc
- Yandex DataSphere
- Yandex Data Streams
- Yandex Data Transfer
- Yandex Identity and Access Management
- Yandex IoT Core
- Yandex Foundation Models
- Yandex Key Management Service
- Yandex Load Testing
- Yandex Lockbox
- Managed databases
- Yandex Managed Service for Apache Airflow™
- Yandex Managed Service for Apache Kafka®
- Yandex Managed Service for ClickHouse®
- Yandex Managed Service for GitLab
- Yandex Managed Service for Greenplum®
- Yandex Managed Service for Kubernetes
- Yandex Managed Service for MongoDB
- Yandex Managed Service for MySQL
- Yandex Managed Service for OpenSearch
- Yandex Managed Service for PostgreSQL
- Yandex Managed Service for Redis
- Yandex Managed Service for YDB
- Yandex Message Queue
- Yandex Monitoring
- Yandex Network Load Balancer
- Yandex Object Storage
- Yandex Query
- Yandex Resource Manager
- Yandex Search API
- Yandex Serverless Containers
- Yandex SmartCaptcha
- Yandex Smart Web Security
- Yandex SpeechKit
- Yandex SpeechSense
- Yandex Translate
- Yandex Virtual Private Cloud
- Yandex Vision OCR
- Yandex Wiki
Primitive roles
The chart below shows which primitive roles are available in Yandex Cloud and how they inherit each other's permissions. For example, the editor
role includes all the permissions of the viewer
role. You can find the description of each role under the chart.
auditor
The auditor
role grants permission to read service configurations and metadata with no access to data.
For example, the auditor
role allows you to perform the following operations:
- View information about a resource.
- View resource metadata.
- View a list of operations with a resource.
The auditor
role is currently not supported in the following services:
- Yandex Data Streams.
- Yandex Managed Service for YDB.
- Yandex Query.
viewer
The viewer
role grants permission to read resources.
The viewer
role includes all permissions granted by the auditor
role. Unlike auditor
, the viewer
role allows access to service data in read mode.
For example, the viewer
role allows you to perform the following operations:
- View information about a resource.
- Get a list of nested resources, such as a list of VMs in a folder.
- View a list of operations with a resource.
editor
The editor
role grants permissions to perform any operation related to resource management, except assigning roles to other users.
The editor
role includes all permissions granted by the viewer
role.
For example, the editor
role lets you perform the following operations:
- Create a resource.
- Update a resource.
- Delete a resource.
admin
The admin
role grants all permissions to manage the resource, including assigning roles to other users. You can assign any role except resource-manager.clouds.owner
.
The admin
role includes all permissions granted by the editor
role.
For example, the admin
role lets you perform the following operations:
- Set permissions to the resource.
- Change permissions to the resource.
Service roles
quota-manager.requestOperator
The quota-manager.requestOperator
role lets you create requests for new service quotas. This permission is also part of the admin
and editor
roles.
AI services
ai.auditor
The ai.auditor
role enables you to view quotas for Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex Foundation Models, as well as read the folder metadata.
ai.viewer
The ai.viewer
role enables you to view quotas for Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex Foundation Models, as well as view the folder info.
This role also includes the ai.auditor
permissions.
ai.editor
The ai.editor
role allows you to use Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex Foundation Models.
Users with this role can:
- Use Yandex Translate to translate texts.
- Use Yandex Vision OCR to analyze images.
- Use Yandex SpeechKit for speech recognition and synthesis.
- Use YandexGPT API language models for text generation and YandexART models for image generation within Yandex Foundation Models.
- View information on the relevant cloud and folder.
- View information on Translate, Vision, SpeechKit, and Foundation Models quotas.
This role includes the following roles' permissions: ai.viewer
, ai.translate.user
, ai.vision.user
, ai.speechkit-stt.user
, ai.speechkit-tts.user
, ai.languageModels.user
, ai.imageGeneration.user
.
ai.admin
The ai.admin
role allows you to use Yandex Translate, Yandex Vision, Yandex SpeechKit, and Yandex Foundation Models.
Users with this role can:
- Use Yandex Translate to translate texts.
- Use Yandex Vision OCR to analyze images.
- Use Yandex SpeechKit for speech recognition and synthesis.
- Use YandexGPT API language models for text generation and YandexART models for image generation within Yandex Foundation Models.
- View information on the relevant cloud and folder.
- View information on Translate, Vision, SpeechKit, and Foundation Models quotas.
This role also includes the ai.editor
permissions.
Yandex API Gateway
api-gateway.auditor
The api-gateway.auditor
role allows you to view the list of API gateways and the details on access bindings to such gateways. It also enables viewing the relevant folder metadata.
api-gateway.viewer
The api-gateway.viewer
role allows you to view the list of API gateways, info on them, and the details on access bindings to such gateways. It also enables viewing the relevant folder metadata.
This role also includes the api-gateway.auditor
permissions.
api-gateway.editor
The api-gateway.editor
role enables managing API gateways and viewing info on them, as well as working with WebSocket API.
Users with this role can:
- View the list of API gateways, info on them and on access bindings to them, as well as use, modify, and delete such gateways.
- Use the request rate limit.
- View info on WebSocket connections and close them, as well as send data through such connections.
- View info on the relevant folder.
This role also includes the api-gateway.websocketWriter
permissions.
api-gateway.websocketWriter
The api-gateway.websocketWriter
role allows you to work with WebSocket API, as well as view the list of API gateways, info on them, and the details on access bindings to such gateways.
Users with this role can:
- View info on WebSocket connections and close them, as well as send data through such connections.
- View the list of API gateways, info on them and on access bindings to them.
- View info on the relevant folder.
This role also includes the api-gateway.viewer
permissions.
api-gateway.admin
The api-gateway.admin
role enables managing API gateways and access to them, viewing info on API gateways, and working with WebSocket API.
Users with this role can:
- View info on access bindings for API gateways and modify such bindings.
- View info on API gateways, as well as create, modify, and delete them.
- View info on WebSocket connections and close them, as well as send data through such connections.
- Use the request rate limit.
- View info on the relevant folder.
This role also includes the api-gateway.editor
permissions.
For more information, see Access management in API Gateway.
Yandex Application Load Balancer
alb.auditor
The alb.auditor
role enables you to view a list of Application Load Balancer resources and their metadata.
alb.viewer
The alb.viewer
role lets you view resource model objects.
Includes all permissions granted by the alb.auditor
role.
alb.user
The alb.user
role allows using Application Load Balancer resources. It is assigned for a folder. For example, with this role you can use Application Load Balancer resources of one folder in Application Load Balancer resources of another folder.
Includes all permissions granted by the alb.viewer
role.
alb.editor
The alb.editor
role lets you view, create, update, and delete resource model objects.
Includes all permissions granted by the alb.user
role.
alb.admin
The alb.admin
role lets you manage Application Load Balancer: view, create, update, and delete resources, as well as manage access to them (this feature is currently unavailable).
Includes all permissions granted by the alb.editor
role.
For more information, see Access management in Application Load Balancer.
Yandex Audit Trails
audit-trails.auditor
The audit-trails.auditor
role lets you view information about trails.
audit-trails.viewer
The audit-trails.viewer
role gives you access to audit logs of the trails. Includes all access rights of the audit-trails.auditor
role.
audit-trails.editor
The audit-trails.editor
role lets you manage trails (create, update, and delete them). Includes all access rights of the audit-trails.viewer
role.
audit-trails.admin
The audit-trails.admin
role lets you manage your trails and user access to them. Includes all access rights of the audit-trails.editor
role.
audit-trails.configViewer
The audit-trails.configViewer
role lets you view information about trails. The role is deprecated, use the audit-trails.auditor
role instead.
For more information, see Access management Audit Trails.
Yandex Certificate Manager
certificate-manager.auditor
The certificate-manager.auditor
role allows you to get information about valid and revoked certificates, a list of certificates, their versions, and permissions to certificates, information about domains, a list of domains, and permissions to domains, as well as information about quotas.
certificate-manager.viewer
The certificate-manager.viewer
role allows getting information about valid and revoked certificates, a list of certificates, their versions, and permissions to certificates, information about domains, a list of domains, and permissions to domains, as well as information about quotas.
Includes all permissions granted by the certificate-manager.auditor
role.
certificate-manager.editor
The certificate-manager.editor
role enables you to add, modify, update, reissue, delete, and revoke certificates, link them to domains, as well as create, update, and delete domains. The role also allows users to get information about valid and revoked certificates, a list of certificates, their versions, and permissions to certificates, information about domains, a list of domains, and permissions to domains, as well as information about quotas.
certificate-manager.admin
The certificate-manager.admin
role lets you manage certificates and access them.
certificate-manager.certificates.downloader
The certificate-manager.certificates.downloader
role lets you get the contents of a certificate.
For more information, see Access management in Certificate Manager.
Yandex Cloud Backup
backup.viewer
The backup.viewer
role allows you to view information on virtual machines connected to Cloud Backup, on backup policies and backups, as well as on the relevant cloud, folder, and quotas.
Users with this role can:
- View info on the connected backup providers.
- View info on access bindings for backup policies.
- View info on backup policies and virtual machines linked to them.
- View info on the virtual machines connected to the service.
- View info on backups.
- View info on Cloud Backup quotas.
- View information on the relevant cloud.
- View info on the relevant folder and its statistics.
To assign the backup.viewer
role, you need either the admin
role for the cloud or the backup.admin
one for the folder.
backup.editor
The backup.editor
role allows you to manage the connection of virtual machines to Cloud Backup, manage backup policies, make backups, and restore VMs from existing backups.
Users with this role can:
- View info on connected backup providers, as well as connect providers available in Cloud Backup.
- Create, modify, and delete backup policies, as well as link, unlink, and run them on virtual machines.
- View info on access bindings for backup policies.
- View info on backup policies and virtual machines linked to them.
- View info on virtual machines connected to Cloud Backup, as well as connect and disconnect VMs to and from the service.
- View info on backups, as well as delete them and use them to restore VMs.
- View info on Cloud Backup quotas.
- View information on the relevant cloud.
- View info on the relevant folder and its statistics.
This role also includes the backup.viewer
permissions.
To assign the backup.editor
role, you need either the admin
role for the cloud or the backup.admin
one for the folder.
backup.admin
The backup.admin
role allows you to manage backup policies and access to them, manage the connection of virtual machines to Cloud Backup, make backups, and restore VMs from existing backups.
Users with this role can:
- View info on access bindings for backup policies and modify such bindings.
- View info on connected backup providers, as well as connect providers available in Cloud Backup.
- Create, modify, and delete backup policies, as well as link, unlink, and run them on virtual machines.
- View info on backup policies and virtual machines linked to them.
- View info on virtual machines connected to Cloud Backup, as well as connect and disconnect VMs to and from the service.
- View info on backups, as well as delete them and use them to restore VMs.
- View info on Cloud Backup quotas.
- View information on the relevant cloud.
- View info on the relevant folder and its statistics.
This role also includes the backup.editor
permissions.
To assign the backup.admin
role, you need the admin
role for the cloud.
For more information, see Access management in Cloud Backup.
Yandex Cloud Billing
billing.accounts.member
The billing.accounts.member
role is granted automatically when a user is added to the service. It is required to display the selected billing account in the list of all user accounts.
billing.accounts.owner
The billing.accounts.owner
role is granted automatically when you create a billing account. The role granted when creating an account cannot be revoked, but it can be assigned to other users and revoked from them.
billing.accounts.viewer
The billing.accounts.viewer
role is assigned for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.
billing.accounts.accountant
The billing.accounts.accountant
role is assigned for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, export reconciliation reports and reporting documents, create new reconciliation reports, and top up your personal account using a bank account.
billing.accounts.editor
The billing.accounts.editor
role is assigned for a billing account. It grants permission to get payment invoices, activate promo codes, link clouds and services to the billing account, export details, create budgets, generate reconciliation reports, and reserve resources. This role includes the billing.accounts.viewer role
.
billing.accounts.admin
The billing.accounts.admin
role is assigned for a billing account. It allows to manage access permissions for the billing account (except for the billing.accounts.owner
role). It includes the billing.accounts.editor
role.
billing.accounts.varWithoutDiscounts
The billing.accounts.varWithoutDiscounts
role is assigned for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts. This role includes the billing.partners.editor role
.
billing.partners.editor
The billing.partners.editor
role is assigned for a billing account. It grants permission to edit information about a partner and their products in the partner product catalog.
For more information, see Access management in Yandex Cloud Billing.
Yandex Cloud CDN
cdn.viewer
The cdn.viewer
role enables viewing info on the folder, origin groups, CDN resources, and Cloud CDN quotas.
cdn.editor
The cdn.editor
role enables managing Cloud CDN resources, as well as viewing the info on quotas and the relevant folder.
Users with this role can:
- View information on origin groups as well as create, modify, and delete them.
- View information on CDN resources as well as create, modify, and delete them.
- Manage log export for the requests to CDN servers.
- Manage origin shielding.
- View information on Cloud CDN quotas.
- View information on the relevant folder.
This role also includes the cdn.viewer
permissions.
cdn.admin
The cdn.admin
role enables managing Cloud CDN resources, as well as viewing the info on quotas and the relevant folder.
Users with this role can:
- View information on origin groups as well as create, modify, and delete them.
- View information on CDN resources as well as create, modify, and delete them.
- Manage log export for the requests to CDN servers.
- Manage origin shielding.
- View information on Cloud CDN quotas.
- View information on the relevant folder.
This role also includes the cdn.editor
permissions.
Moving forward, it will additionally include more features.
For more information, see Access management in Cloud CDN.
Yandex Cloud DNS
dns.auditor
The dns.auditor
role enables viewing info on DNS zones and access bindings to them, as well as on the relevant folder and Cloud DNS quotas. This role does not provide access to resource records.
dns.viewer
The dns.viewer
role enables viewing info on DNS zones and access bindings to them, as well as on the resource records, the relevant folder, and Cloud DNS quotas.
This role also includes the dns.auditor
permissions.
dns.editor
The dns.editor
role enables managing DNS zones and resource records, as well as viewing info on the relevant folder and Cloud DNS quotas.
Users with this role can:
- View information on DNS zones as well as create, use, modify, and delete them.
- View information on resource records as well as create, modify, and delete them.
- Create nested public DNS zones.
- View information on access bindings for DNS zones.
- View information on Cloud DNS quotas.
- View information on the relevant folder.
This role also includes the dns.viewer
permissions.
dns.admin
The dns.admin
role enables managing DNS zones and access to them, and resource records, as well as viewing info on the relevant folder and Cloud DNS quotas.
Users with this role can:
- View information on access bindings for DNS zones, as well as create, modify, and delete such bindings.
- View information on DNS zones as well as create, use, modify, and delete them.
- View information on resource records as well as create, modify, and delete them.
- Create nested public DNS zones.
- View information on Cloud DNS quotas.
- View information on the relevant folder.
This role also includes the dns.editor
permissions.
For more information, see Access management in Cloud DNS.
Yandex Cloud Functions
functions.auditor
The functions.auditor
role allows you to view a list of functions and all their details, except the function version code and environment variables.
functions.viewer
The functions.viewer
role allows you to view the function list and details.
functions.functionInvoker
The functions.functionInvoker
role allows you to invoke functions.
functions.editor
The functions.editor
role allows you to create, edit, and delete functions, as well as create function versions.
functions.mdbProxiesUser
The functions.mdbProxiesUser
role allows you to connect to managed databases from a function.
functions.admin
The functions.admin
role allows you to manage function access settings.
For more information, see Access management in Cloud Functions.
Yandex Cloud Logging
logging.viewer
The logging.viewer
role grants permission to list log groups and view information about them.
logging.editor
The logging.editor
role grants permission to update all settings of a log group, except the access rights.
The logging.editor
role includes all permissions granted by the logging.viewer
role.
logging.reader
The logging.reader
role grants permission to view records in a log group.
The logging.reader
role includes all permissions granted by the logging.viewer
role.
logging.writer
The logging.writer
role grants permission to add records to a log group.
The logging.writer
role includes all permissions granted by the logging.viewer
role.
logging.admin
The logging.admin
role grants all permissions to manage a log group, including permissions to assign roles for a log group to other users.
The logging.admin
role includes all permissions granted by the logging.editor
, logging.reader
, and logging.writer
roles.
For more information, see Access management in Cloud Logging.
Yandex Cloud Marketplace
marketplace.meteringAgent
The marketplace.meteringAgent
role allows you to log how Marketplace products are used.
Using this role, you can authenticate your apps in Metering API and track app metrics configured by partners for billing purposes.
You can assign this role to a service account.
license-manager.auditor
The license-manager.auditor
role enables getting information on subscriptions.
license-manager.viewer
The license-manager.viewer
role enables getting information on subscriptions and their links to a resource, app, or service.
This role also includes the license-manager.auditor
permissions.
license-manager.user
The license-manager.user
role enables managing subscriptions, as well as getting information on those and their links to resources, apps, or services.
Users with this role can:
- Get information on subscriptions and their links to resources, apps, or services.
- Buy subscriptions.
- Disable subscription auto-renew.
- Link subscriptions to resources, apps, and services, as well as unlink them.
- Move subscriptions from one folder to another.
This role also includes the license-manager.viewer
permissions.
For more information, see Access management in Marketplace.
Yandex Cloud Organization
organization-manager.viewer
The organization-manager.viewer
role grants permission to view, but not edit, an organization's settings.
organization-manager.admin
The organization-manager.admin
role grants permission to edit organization settings, create identity federations, add and remove users, create other administrators, and manage the resources of an organization's clouds.
organization-manager.organizations.owner
The organization-manager.organizations.owner
role grants permission to appoint organization owners as well as use all the administrator privileges.
organization-manager.federations.viewer
The organization-manager.federations.viewer
role enables you to view organization settings and get organization and federation lists and group mapping lists.
organization-manager.federations.admin
The organization-manager.federations.admin
role allows you to create, update, and delete federations, certificates, and their users, view organization settings, and get organization and federation lists and group mapping lists.
organization-manager.osLogins.viewer
The organization-manager.osLogins.viewer
role enables you to view OS Login profiles and SSH keys of the organization users.
organization-manager.osLogins.admin
The organization-manager.osLogins.admin
role enables you to edit OS Login profiles, SSH keys, and create certificates for the organization users.
organization-manager.groups.memberAdmin
The organization-manager.groups.memberAdmin
role grants permission to view a group's information, add and remove group members.
For more information, see Access management in Yandex Cloud Organization.
Yandex Cloud Postbox
postbox.sender
The postbox.sender
role allows you to send emails.
Users with this role can send emails from Yandex Cloud Postbox.
postbox.auditor
The postbox.auditor
role allows you to get information about Yandex Cloud Postbox addresses.
Users with this role can view address information and get a list of Yandex Cloud Postbox addresses.
postbox.viewer
The postbox.viewer
role allows you to get information about Yandex Cloud Postbox addresses.
Users with this role can view address information and get a list of Yandex Cloud Postbox addresses.
Includes all permissions granted by the postbox.auditor
role.
postbox.editor
The postbox.editor
role allows you to manage Yandex Cloud Postbox addresses and send emails.
Users with this role can create, update, and delete addresses, view address information, get a list of Yandex Cloud Postbox addresses, and send emails.
Includes all permissions granted by the postbox.viewer
role.
postbox.admin
The postbox.admin
role allows you to manage Yandex Cloud Postbox addresses and send emails.
Users with this role can create, update, and delete addresses, view address information, get a list of Yandex Cloud Postbox addresses, and send emails.
The role grants the same permissions as the postbox.editor
role.
For more information, see Access management in Yandex Cloud Postbox.
Yandex Compute Cloud
compute.auditor
The compute.auditor
role allows you to view information on Compute Cloud resources and relevant operations, as well as on the amount of used resources and quotas. It does not allow you to access the serial port or serial console of an instance.
- View a list of instances and information on them.
- View a list of instance groups and information on them.
- View a list of instance placement groups and information on them.
- View lists of instances in placement groups.
- View a list of dedicated host groups and information on them.
- View lists of hosts and instances in dedicated host groups.
- View information on GPU clusters and instances included in these clusters.
- View a list of disks and information on them.
- View a list of file storages and information on them.
- View a list of non-replicated disk placement groups and information on them.
- View lists of disks in placement groups.
- View a list of images and information on them.
- View information on image families, on images within families, on the latest family image, as well as on access bindings to image families.
- View a list of disk snapshots and information on them.
- View information on disk snapshot schedules.
- View information on Compute Cloud resource and quota consumption and disk limits in the management console.
- View lists of resource operations for Compute Cloud, as well as information on these operations.
- View information on the status of configuring access via OS Login on instances.
- View information on available platforms.
- View a list of availability zones and information on them.
compute.viewer
The compute.viewer
role allows you to view information on Compute Cloud resources and resource operations, as well as on access bindings to the resources and on the amount of used resources and quotas. This role also grants access to instance metadata and serial port output.
- View the instance serial port output.
- View instance metadata.
- View a list of instances, information on instances and on access bindings to them.
- View a list of instance groups and information on them.
- View a list of instance placement groups, information on instance placement groups and on access bindings to them.
- View lists of instances in placement groups.
- View a list of dedicated host groups, information on dedicated host groups and on access bindings to them.
- View lists of hosts and instances in dedicated host groups.
- View information on GPU clusters and instances included in GPU clusters, as well as the on access bindings to these clusters.
- View a list of disks, information on disks and on access bindings to them.
- View a list of file storages, information on file storages and on access bindings to them.
- View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access bindings to them.
- View lists of disks in placement groups.
- View a list of images, information on images and on access bindings to them.
- View information on image families, on images within families, on the latest family image, as well as on access bindings to image families.
- View a list of disk snapshots, information on disk snapshots and on access bindings to them.
- View information on disk snapshot schedules and on access bindings to them.
- View information on Compute Cloud resource and quota consumption and disk limits in the management console.
- View lists of resource operations for Compute Cloud, as well as information on these operations.
- View information on the status of configuring access via OS Login on instances.
- View information on available platforms.
- View a list of availability zones, information on availability zones and on access bindings to them.
This role also includes the compute.auditor
permissions.
compute.editor
The compute.editor
role allows you to manage instances, instance groups, disks, images, GPU clusters, and other Compute Cloud resources.
- Create, modify, start, restart, stop, move, and delete instances.
- View a list of instances, information on instances and on access bindings to them.
- Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link security groups to instance network interfaces.
- Create instances with custom FQDNs and create multi-interface instances.
- Bind service accounts to instances and activate AWS v1 tokens on instances.
- Use the instance serial port for reading and writing.
- Simulate instance maintenance events.
- View instance metadata.
- View information on the status of configuring access via OS Login on instances and connect to instances via OS Login using SSH certificates or SSH keys.
- View a list of instance groups, information on instance groups and on access bindings to them, as well as use, create, modify, start, stop, and delete instance groups.
- View a list of instance placement groups, information on instance placement groups and on access bindings to them, as well as use, modify, and delete instance placement groups.
- View lists of instances in placement groups.
- View a list of dedicated host groups, information on dedicated host groups and on access bindings to them, as well as use, modify, and delete dedicated host groups.
- View lists of hosts and instances in dedicated host groups.
- Modify scheduled maintenance windows for hosts in dedicated host groups.
- Use GPU clusters, as well as create, modify, and delete them.
- View information on GPU clusters and instances included in GPU clusters, as well as the on access bindings to these clusters.
- View a list of disks, information on disks and on access bindings to them, as well as use, modify, move, and delete disks.
- Create encrypted disks.
- View and update disk links.
- View a list of file storages, information on file storages and on access bindings to them, as well as use, create, modify, and delete file storages.
- View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access bindings to them, as well as use, modify, and delete non-replicated disk placement groups.
- View lists of disks in placement groups.
- View a list of images, information on images and on access bindings to them, as well as use, modify, and delete images.
- Create, modify, delete, and update image families.
- View information on image families, on images within families, on the latest family image, as well as on access bindings to image families.
- View a list of disk snapshots, information on disk snapshots and on access bindings to them, as well as use, modify, and delete disk snapshots.
- View information on disk snapshot schedules and on access bindings to them, as well as create, modify, and delete disk snapshot schedules.
- View information on cloud networks and use them.
- View information on subnets and use them.
- View information on cloud resource addresses and use them.
- View information on route tables and use them.
- View information on security groups and use them.
- View information on NAT gateways and connect them to route tables.
- View information on the IP addresses used in subnets.
- View information on resource operations for Virtual Private Cloud.
- View information on Virtual Private Cloud quotas.
- View information on Compute Cloud resource and quota consumption and disk limits in the management console.
- View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
- View information on available platforms and use them.
- View a list of availability zones, information on availability zones and on access bindings to them.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the compute.viewer
, compute.osLogin
, and vpc.user
permissions.
compute.admin
The compute.admin
role allows you to manage instances, instance groups, disks, images, GPU clusters, and other Compute Cloud resources, as well as manage access to them.
- Create, modify, start, restart, stop, move, and delete instances, as well as manage access to them.
- View a list of instances, information on instances and on access bindings to them.
- Connect and disconnect disks, file storages, and network interfaces to and from instances, as well as link security groups to instance network interfaces.
- Create instances with custom FQDNs and create multi-interface instances.
- Bind service accounts to instances and activate AWS v1 tokens on instances.
- Use the instance serial port for reading and writing.
- Simulate instance maintenance events.
- View instance metadata.
- View information on the status of configuring access via OS Login on instances and connect to instances via OS Login using SSH certificates or SSH keys and run commands as a superuser (
sudo
). - Use, create, modify, start, stop, and delete instance groups, as well as manage access to instance groups.
- View a list of instance groups, information on instance groups and on access bindings to them.
- Use, create, modify, and delete instance placement groups, as well as manage access to instance placement groups.
- View a list of instance placement groups, information on instance placement groups and on access bindings to them.
- View lists of instances in placement groups.
- Use, create, modify, and delete dedicated host groups, as well as manage access to dedicated host groups.
- View a list of dedicated host groups, information on dedicated host groups and on access bindings to them.
- View lists of hosts and instances in dedicated host groups.
- Modify scheduled maintenance windows for hosts in dedicated host groups.
- Use, create, modify, and delete GPU clusters, as well as manage access to them.
- View information on GPU clusters and instances included in GPU clusters, as well as the on access bindings to these clusters.
- Use, create, modify, move, and delete disks, as well as manage access to them.
- Create encrypted disks.
- View a list of disks, information on disks and on access bindings to them.
- View and update disk links.
- Use, create, modify, and delete file storages, as well as manage access to them.
- View a list of file storages, information on file storages and on access bindings to them.
- Use, create, modify, and delete non-replicated disk placement groups, as well as manage access to non-replicated disk placement groups.
- View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access bindings to them.
- View lists of disks in placement groups.
- Use, create, modify, and delete images, as well as manage access to them.
- View a list of images, information on images and on access bindings to them.
- Create, modify, delete, and update image families, as well as manage access to them.
- View information on image families, on images within families, on the latest family image, as well as on access bindings to image families.
- Use, create, modify, and delete disk snapshots, as well as manage access to them.
- View a list of disk snapshots, information on disk snapshots and on access bindings to them.
- Create, modify, and delete disk snapshot schedules, as well as manage access to them.
- View information on disk snapshot schedules and on access bindings to them.
- View information on cloud networks and use them.
- View information on subnets and use them.
- View information on cloud resource addresses and use them.
- View information on route tables and use them.
- View information on security groups and use them.
- View information on NAT gateways and connect them to route tables.
- View information on the IP addresses used in subnets.
- View information on resource operations for Virtual Private Cloud.
- View information on Virtual Private Cloud quotas.
- View information on Compute Cloud resource and quota consumption and disk limits in the management console.
- View lists of resource operations for Compute Cloud and information on operations, as well as abort such operations.
- View information on available platforms and use them.
- View a list of availability zones, information on availability zones and on access bindings to them.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the compute.editor
and compute.osAdminLogin
permissions.
compute.osLogin
The compute.osLogin
role allows you to connect to instances via OS Login using SSH certificates or SSH keys.
compute.osAdminLogin
The compute.osAdminLogin
role allows you to connect to instances using SSH certificates or SSH keys via OS Login and run commands as a superuser (sudo
).
compute.disks.user
The compute.disks.user
role allows you to view a list of disks and information on them, as well as use disks to create new resources, such as instances.
compute.images.user
The compute.images.user
role allows you to view a list of images and information on them, get information on the latest image within the image family, as well as use images to create new resources, such as instances.
compute.operator
The compute.operator
role allows you to start and stop instances and instance groups, as well as view information on Compute Cloud resources and resource operations, as well as on access bindings to the resources and the amount of used resources and quotas.
- Start, restart, and stop instances.
- View a list of instances, information on instances and on access bindings to them.
- Start and stop instance groups.
- View a list of instance groups and information on them.
- View the instance serial port output.
- View instance metadata.
- View a list of instance placement groups, information on instance placement groups and on access bindings to them.
- View lists of instances in placement groups.
- View a list of dedicated host groups, information on dedicated host groups and on access bindings to them.
- View lists of hosts and instances in dedicated host groups.
- View information on GPU clusters and instances included in GPU clusters, as well as the on access bindings to these clusters.
- View a list of disks, information on disks and on access bindings to them.
- View a list of file storages, information on file storages and on access bindings to them.
- View a list of non-replicated disk placement groups, information on non-replicated disk placement groups and on access bindings to them.
- View lists of disks in placement groups.
- View a list of images, information on images and on access bindings to them.
- View information on image families, on images within families, on the latest family image, as well as on access bindings to image families.
- View a list of disk snapshots, information on disk snapshots and on access bindings to them.
- View information on disk snapshot schedules and on access bindings to them.
- View information on Compute Cloud resource and quota consumption and disk limits in the management console.
- View lists of resource operations for Compute Cloud, as well as information on these operations.
- View information on the status of configuring access via OS Login on instances.
- View information on available platforms.
- View a list of availability zones, information on availability zones and on access bindings to them.
This role also includes the compute.viewer
permissions.
compute.snapshotSchedules.viewer
The compute.snapshotSchedules.viewer
role allows you to view information on scheduled disk snapshots.
Users with this role can:
- View information on disk snapshot schedules and on access bindings to them.
- View lists of disks.
- View lists of disk snapshots.
- View a list of disk snapshot operations.
compute.snapshotSchedules.editor
The compute.snapshotSchedules.editor
role allows you to create, modify, and delete disk snapshot schedule, create and delete disk snapshots, as well as view information on disk snapshot operations.
Users with this role can:
- View information on disk snapshot schedules and on access bindings to them, as well as create, modify, and delete disk snapshot schedules.
- View lists of disks and use disks to create snapshots.
- View lists of disk snapshots, create and delete snapshots.
- View a list of disk snapshot operations and information on them.
This role also includes the compute.snapshotSchedules.viewer
permissions.
For more information, see Access management in Compute Cloud.
Yandex Connection Manager
connection-manager.auditor
The connection-manager.auditor
role allows you to view public details on connections and access bindings to them. If you have this role assigned for a cloud, it will also enable viewing Connection Manager quotas.
connection-manager.viewer
The connection-manager.viewer
role enables viewing info on connections and access bindings to them, as well as on the Connection Manager quotas. It does not allow you to view private data, such as DB passwords.
This role also includes the connection-manager.auditor
permissions.
connection-manager.editor
The connection-manager.editor
role allows you to manage connections and view their details, including private data such as DB passwords.
Users with this role can:
- Create, use, edit, and delete connections.
- View connection details, including private data and info on access bindings.
- View info on Connection Manager quotas.
This role also includes the connection-manager.viewer
permissions.
connection-manager.admin
The connection-manager.admin
role allows you to manage connections and access to those, as well as view connection details, including private data such as DB passwords.
Users with this role can:
- Create, use, edit, and delete connections, as well as manage access to them.
- View connection details, including private data and info on access bindings.
- View info on Connection Manager quotas.
This role also includes the connection-manager.editor
permissions.
For more information, see Access management in Connection Manager.
Yandex Container Registry
container-registry.viewer
The container-registry.viewer
role lets you view information about registries, Docker images, and repositories.
container-registry.editor
The container-registry.editor
role lets you create, update, and delete registries, Docker images, and repositories. Includes all permissions granted by the container-registry.viewer
role.
container-registry.admin
The container-registry.admin
role lets you create, edit, and delete registries. Lets you configure access rights to service resources. Includes all permissions granted by the container-registry.viewer
and container-registry.editor
roles.
container-registry.images.pusher
The container-registry.images.pusher
role lets you manage Docker images and view information about service resources (registries, Docker images, and repositories).
container-registry.images.puller
The container-registry.images.puller
role lets you download Docker images and view information about service resources (registries, Docker images, and repositories).
container-registry.images.scanner
The container-registry.images.scanner
role lets you scan Docker images and view information about service resources (registries, Docker images, and repositories).
For more information, see Access management in Container Registry.
Yandex DataLens
datalens.visitor
The datalens.visitor
role grants access to DataLens. You can view and edit workbooks and collections if you have the appropriate roles that grant access to these workbooks and collections.
datalens.creator
The datalens.creator
role grants access to DataLens with a permission to create workbooks and collections in the DataLens root. You can view and edit workbooks and collections created by other users only if you have access permissions to these workbooks and collections.
datalens.admin
The datalens.admin
role grants full access to DataLens and any of its workbooks and collections.
datalens.instances.user
The datalens.instances.user
role grants access to DataLens as a user with permissions to create, read, and edit objects according to the permissions to objects.
After you assign a service role, you can grant the user permissions to objects and directories in DataLens.
Tip
We recommend using the datalens.creator
role instead of the datalens.instances.user
one. The two roles grant identical permissions, but using datalens.creator
is safer, because it only allows access to the DataLens instance, and disallows viewing all organization folders.
datalens.instances.admin
The datalens.instances.admin
role allows you to access DataLens as a DataLens instance administrator. Administrators have full access to all objects and folders in DataLens, as well as to DataLens settings.
Tip
We recommend using the datalens.admin
role instead of the datalens.instances.admin
one. The two roles grant identical permissions, but using datalens.admin
is safer, because it only allows access to the DataLens instance, and disallows viewing all organization folders.
For more information, see DataLens roles.
Yandex Data Proc
dataproc.agent
The dataproc.agent
role allows the service account assigned to the Yandex Data Proc cluster to notify the service of the status of each host in the cluster.
This role must be assigned to the service account specified when creating the cluster.
Currently, this role can only be assigned for working with a folder or a cloud.
mdb.dataproc.agent
The mdb.dataproc.agent
role will soon be discontinued. Users with this role will automatically be assigned the dataproc.agent
role with the same rights. We do not recommend using this role.
Currently, this role can only be assigned for working with a folder or a cloud.
dataproc.auditor
The dataproc.auditor
role enables you to view information about clusters and jobs (with no access to job content).
dataproc.viewer
The dataproc.viewer
role enables you to view information about clusters and quotas.
dataproc.user
The dataproc.user
role provides access to the Yandex Data Proc component web interfaces and enables you to create jobs. It includes the dataproc.viewer
role.
dataproc.provisioner
The dataproc.provisioner
role grants access to the API to create, update, and delete Yandex Data Proc cluster objects.
dataproc.editor
The dataproc.editor
role enables you to create, edit, and delete clusters and jobs, view information about them, and provides access to the Yandex Data Proc component web interfaces. It includes the dataproc.viewer
role.
dataproc.admin
The dataproc.admin
role enables you to create, edit, and delete clusters and jobs, view information about them, provides access to the Yandex Data Proc component web interfaces, and manages access to clusters. It includes the dataproc.editor
role.
managed-metastore.auditor
The managed-metastore.auditor
role enables you to view information about clusters and quotas.
managed-metastore.viewer
The managed-metastore.viewer
role enables you to view information about clusters, their runtime logs, and quotas.
managed-metastore.editor
The managed-metastore.editor
role enables you to edit and delete clusters, view information about clusters, their runtime logs, and quotas. This role includes the managed-metastore.viewer
role. To create clusters, you also need the vpc.user
role.
managed-metastore.admin
The managed-metastore.admin
role enables you to edit and delete clusters, view information about clusters, their runtime logs, and quotas, as well as manage cluster access. This role includes the managed-metastore.editor
role. To create clusters, you also need the vpc.user
role.
For more information, see Access management in Yandex Data Proc.
Yandex DataSphere
datasphere.community-projects.viewer
The datasphere.community-projects.viewer
role lets you view the project list and settings, as well as their resources and project members.
In the DataSphere interface, users with the datasphere.community-projects.viewer
role have the Viewer
role in the Members tab on the project page.
datasphere.community-projects.developer
The datasphere.community-projects.developer
role lets you work in a project. Users with this role can manage project resources but can't share them in a community. They can run an IDE and code cells.
The datasphere.community-projects.developer
role also includes all permissions of the datasphere.community-projects.viewer
role.
In the DataSphere interface, users with the datasphere.community-projects.developer
role have the Developer
role in the Members tab on the project page.
datasphere.community-projects.editor
The datasphere.community-projects.editor
role lets you edit project settings and delete projects.
Users with the datasphere.community-projects.editor
role can share project resources with communities where they have Developer
privileges (the datasphere.communities.developer
role).
The datasphere.community-projects.editor
role also includes all permissions of the datasphere.community-projects.developer
role.
In the DataSphere interface, users with the datasphere.community-projects.editor
role have the Editor
role in the Members tab on the project page.
datasphere.community-projects.admin
The datasphere.community-projects.admin
role lets you manage project access rights.
Users with the datasphere.community-projects.admin
role can share project resources with communities where they have Developer
privileges (the datasphere.communities.developer
role).
The datasphere.community-projects.admin
role also includes all permissions of the datasphere.community-projects.editor
role.
In the DataSphere interface, users with the datasphere.community-projects.admin
role have the Admin
role in the Members tab on the project page.
datasphere.communities.viewer
With the datasphere.communities.viewer
role, you can view the list of communities and their settings, but can't create, delete, or edit resources. This role doesn't let you run an IDE.
The datasphere.communities.viewer
role also includes all permissions of the datasphere.community-projects.viewer
role.
In the DataSphere interface, users with the datasphere.communities.viewer
role have the Viewer
role in the Members tab on the community page.
datasphere.communities.developer
The datasphere.communities.developer
role lets you create new projects and publish project resources in a community.
The datasphere.communities.developer
role also includes all permissions of the datasphere.communities.viewer
role.
In the DataSphere interface, users with the datasphere.communities.developer
role have the Developer
role in the Members tab on the community page.
datasphere.communities.editor
The datasphere.communities.editor
role lets you edit community settings, manage community projects and resources, and delete communities. Users with this role can link a billing account to a community.
The datasphere.communities.editor
role also includes all permissions of the datasphere.communities.developer
and datasphere.community-projects.editor
roles.
In the DataSphere interface, users with the datasphere.communities.editor
role have the Editor
role in the Members tab on the community page.
datasphere.communities.admin
The datasphere.communities.admin
role lets you manage permissions to a community and its projects and resources.
The datasphere.communities.admin
role also includes all permissions of the datasphere.communities.editor
and datasphere.community-projects.admin
roles.
Users with the datasphere.communities.admin
role can share resources with communities where they also have this role.
In the DataSphere interface, users with the datasphere.communities.admin
role have the Admin
role in the Members tab on the community page.
datasphere.user
The datasphere.user
role is deprecated and no longer used.
datasphere.admin
The datasphere.admin
role is deprecated and no longer used.
For more information, see Access management in DataSphere.
Yandex Data Streams
yds.viewer
Users with the yds.viewer
role can read data from Data Streams streams and view their settings. The yds.viewer
role also includes all permissions of the ydb.viewer
role.
yds.writer
The yds.writer
role allows writing data to Data Streams streams.
yds.editor
The yds.editor
role enables you to write data to and read data from Data Streams streams, as well as view their settings. The yds.editor
role also includes all permissions of the ydb.editor
role.
yds.admin
Users with the yds.admin
role can manage resource access rights, e.g., allow other users to create Data Streams streams or view information about them.
The yds.admin
role also includes all permissions of the ydb.admin
role.
For more information, see Access management in Data Streams.
Yandex Data Transfer
data-transfer.auditor
The data-transfer.auditor
role allows you to view the service metadata, including the information on the relevant folder, endpoints, and transfers, as well as on Data Transfer quotas.
Currently, this role can only be assigned for working with a folder or a cloud.
data-transfer.viewer
The data-transfer.viewer
role allows you to view information on the relevant folder, endpoints, and transfers, as well as on Data Transfer quotas.
This role also includes the data-transfer.auditor
permissions.
Currently, this role can only be assigned for working with a folder or a cloud.
data-transfer.privateAdmin
The data-transfer.privateAdmin
role allows you to manage endpoints and transfers for transferring data only within Yandex Cloud networks, as well as to view information on the relevant folder and Data Transfer quotas.
Users with this role can:
- View information on transfers, as well as create, modify, delete, activate, use, and deactivate transfers for transferring data within Yandex Cloud networks.
- View information on endpoints, as well as create, modify, and delete endpoints in Yandex Cloud.
- View information on the relevant folder.
- View information on Data Transfer quotas.
This role also includes the data-transfer.viewer
permissions.
Currently, this role can only be assigned for working with a folder or a cloud.
data-transfer.admin
The data-transfer.admin
role allows you to manage endpoints and transfers for transferring data within Yandex Cloud networks and over the internet, as well as to view information on the relevant folder and Data Transfer quotas.
Users with this role can:
- View information on transfers, as well as create, modify, delete, activate, use, and deactivate transfers for transferring data both within Yandex Cloud networks and over the internet.
- View information on endpoints, as well as create, modify, and delete endpoints both within and outside Yandex Cloud.
- View information on the relevant folder.
- View information on Data Transfer quotas.
This role also includes the data-transfer.privateAdmin
permissions.
Currently, this role can only be assigned for working with a folder or a cloud.
For more information, see Access management in Data Transfer.
Yandex Identity and Access Management
iam.serviceAccounts.user
The iam.serviceAccounts.user
role enables viewing the list of service accounts and info on them, as well as performing operations on behalf of a service account.
For example, if you specify a service account when creating an instance group, IAM will check whether you have a permission to use this service account.
iam.serviceAccounts.admin
The iam.serviceAccounts.admin
role enables managing service accounts and access to them and their keys, as well as getting IAM tokens for service accounts.
Users with this role can:
- View the list of service accounts and info on them, as well as create, use, modify, and delete them.
- View info on access bindings for service accounts and modify such bindings.
- Get IAM tokens for service accounts.
- View the list of service account API keys and info on them, as well as create, modify, and delete them.
- View the list of service account static access keys and info on them, as well as create, modify, and delete them.
- View info on service account authorized keys, as well as create, modify, and delete them.
- View info on the relevant folder and its settings.
iam.serviceAccounts.accessKeyAdmin
The iam.serviceAccounts.accessKeyAdmin
role enables managing static access keys for service accounts.
Users with this role can:
- View the list of service account static access keys and information on them.
- Create, update, and delete static access keys for service accounts.
iam.serviceAccounts.apiKeyAdmin
The iam.serviceAccounts.apiKeyAdmin
role enables managing API keys for service accounts.
Users with this role can:
- View the list of service account API keys and information on them.
- Create, update, and delete API keys for service accounts.
iam.serviceAccounts.authorizedKeyAdmin
The iam.serviceAccounts.authorizedKeyAdmin
role enables viewing info on service account authorized keys, as well as create, modify, and delete them.
iam.serviceAccounts.keyAdmin
The iam.serviceAccounts.keyAdmin
role enables managing static access keys, API keys, and authorized keys for service accounts.
Users with this role can:
- View the list of service account static access keys and info on them, as well as create, modify, and delete them.
- View the list of service account API keys and info on them, as well as create, modify, and delete them.
- View info on service account authorized keys, as well as create, modify, and delete them.
This role also includes the iam.serviceAccounts.accessKeyAdmin
, iam.serviceAccounts.apiKeyAdmin
, and iam.serviceAccounts.authorizedKeyAdmin
permissions.
iam.serviceAccounts.tokenCreator
The iam.serviceAccounts.tokenCreator
role enables getting IAM tokens for service accounts.
With such an IAM token one can impersonate to a service account and perform operations allowed for it.
This role does not allow you to modify access permissions or delete a service account.
iam.auditor
The iam.auditor
role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.
Users with this role can:
- View the list of service accounts and information on them.
- View info on access bindings for service accounts.
- View the list of service account API keys and information on them.
- View the list of service account static access keys and information on them.
- View info on service account authorized keys.
- View the list of operations and the info on IAM resource operations.
- View info on Identity and Access Management quotas.
- View info on the relevant cloud and its settings.
- View info on the relevant folder and its settings.
iam.viewer
The iam.viewer
role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.
Users with this role can:
- View the list of service accounts and information on them.
- View info on access bindings for service accounts.
- View the list of service account API keys and information on them.
- View the list of service account static access keys and information on them.
- View info on service account authorized keys.
- View the list of operations and the info on IAM resource operations.
- View info on Identity and Access Management quotas.
- View info on the relevant cloud and its settings.
- View info on the relevant folder and its settings.
This role also includes the iam.auditor
permissions.
iam.editor
The iam.editor
role allows you to manage service accounts and their keys, manage folders, and view info on IAM resource operations and quotas.
Users with this role can:
- View the list of service accounts and info on them, as well as create, use, modify, and delete them.
- View the list of service account API keys and info on them, as well as create, modify, and delete them.
- View the list of service account static access keys and info on them, as well as create, modify, and delete them.
- View info on service account authorized keys, as well as create, modify, and delete them.
- View info on access bindings for service accounts.
- View the list of operations and the info on IAM resource operations.
- View info on Identity and Access Management quotas.
- View info on the relevant cloud and its settings.
- View info on the relevant folders and their settings.
- Create, modify, delete, and setup folders.
This role also includes the iam.viewer
permissions.
iam.admin
The iam.admin
role enables managing service accounts and access to them and their keys, as well as managing folders, viewing info on IAM resource operations and quotas, and getting IAM tokens for service accounts.
Users with this role can:
- View the list of service accounts and info on them, as well as create, use, modify, and delete them.
- View info on access bindings for service accounts and modify such bindings.
- Get IAM tokens for service accounts.
- View the list of service account API keys and info on them, as well as create, modify, and delete them.
- View the list of service account static access keys and info on them, as well as create, modify, and delete them.
- View info on service account authorized keys, as well as create, modify, and delete them.
- View info on identity federations.
- View the list of operations and the info on Identity and Access Management resource operations.
- View info on Identity and Access Management quotas.
- View info on the relevant cloud and its settings.
- View info on the relevant folders and their settings.
- Create, modify, delete, and setup folders.
This role also includes the iam.editor
and iam.serviceAccounts.admin
permissions.
For more information, see Access management in Identity and Access Management.
Yandex IoT Core
iot.devices.writer
The iot.devices.writer
role grants permission to send gRPC messages to Yandex IoT Core on behalf of a device.
iot.registries.writer
The iot.registries.writer
role grants permission to send gRPC messages to Yandex IoT Core on behalf of a registry.
iot.auditor
The iot.auditor
role allows you to view metadata about devices and device registries, as well as brokers and quotas in Yandex IoT Core.
iot.viewer
The iot.viewer
role allows you to view all Yandex IoT Core resources.
iot.editor
The iot.editor
role allows users to create, edit, and delete all Yandex IoT Core resources.
For more information, see Access management in Yandex IoT Core.
Yandex Foundation Models
ai.languageModels.user
The ai.languageModels.user
role allows you to use YandexGPT API language models for text generation within the Yandex Foundation Models service, as well as view info on the relevant cloud, folder, and quotas.
ai.imageGeneration.user
The ai.imageGeneration.user
role allows you to use YandexART image generation models within the Yandex Foundation Models service, as well as view info on the relevant cloud, folder, and quotas.
For more information, see Access management in Yandex Foundation Models.
Yandex Key Management Service
kms.keys.encrypter
The kms.keys.encrypter
role enables you to encrypt data and view information about keys.
kms.keys.decrypter
The kms.keys.decrypter
role enables you to decrypt data and view information about keys.
kms.keys.encrypterDecrypter
The kms.keys.encrypterDecrypter
role enables you to encrypt and decrypt data and view information about keys. Includes all access rights of the kms.keys.encrypter
and kms.keys.decrypter
roles.
kms.asymmetricEncryptionKeys.publicKeyViewer
The kms.asymmetricEncryptionKeys.publicKeyViewer
role enables you to obtain a public key from an asymmetric encryption key pair.
kms.asymmetricSignatureKeys.publicKeyViewer
The kms.asymmetricSignatureKeys.publicKeyViewer
role enables you to obtain a public key from an asymmetric key pair of a digital signature.
kms.asymmetricSignatureKeys.signer
The kms.asymmetricSignatureKeys.signer
role enables you to sign data with a private key from an asymmetric key pair of a digital signature.
kms.asymmetricEncryptionKeys.decrypter
The kms.asymmetricEncryptionKeys.decrypter
role enables you to decrypt data with a private key from an asymmetric encryption key pair.
kms.auditor
The kms.auditor
role enables you to view a list of signature and encryption keys and get information about signature and encryption permissions. It does not allow you to obtain a public key.
kms.viewer
The kms.viewer
role enables you to read information about keys.
kms.editor
The kms.editor
role enables you to manage keys (view, create, update, rotate keys, and encrypt and decrypt data). Includes all access rights of the kms.viewer
and kms.keys.encrypterDecrypter
roles.
kms.admin
The kms.admin
role enables you to assign random roles for keys using the CLI and API, delete keys and key versions, and update the primary version. Includes all access rights of the kms.editor
role.
For more information, see Access management in Key Management Service.
Yandex Load Testing
loadtesting.viewer
The loadtesting.viewer
role allows you to view info on load generators and tests, as well as folder metadata.
Users with this role can:
- View info on load tests and reports on their run.
- View info on load test configurations.
- View info on load test regression dashboards.
- View info on agents.
- View info on Yandex Object Storage buckets used in load tests.
- View info on the relevant folder.
loadtesting.editor
The loadtesting.editor
role enables managing agents, load tests and their settings, data stores, and regression dashboards. It also allows you to register agents created outside Load Testing.
Users with this role can:
- View info on load tests and reports on their run.
- Create, modify, delete, run and stop load tests and load test data into them.
- View info on load test configurations, as well as create, modify, and delete such configurations.
- View info on agents and create, modify, delete, run, restart, and stop them.
- Register external agents in Load Testing.
- View info on Yandex Object Storage buckets used in load tests, upload test data to them, and create, modify, and delete buckets.
- View info on regression dashboards, as well as create, modify, and delete such dashboards.
- View information on the relevant folder.
This role also includes the loadtesting.viewer
, loadtesting.loadTester
, and loadtesting.externalAgent
permissions.
loadtesting.admin
The loadtesting.admin
role enables managing agents, load tests and their settings, data stores, and regression dashboards. It also allows you to register agents created outside Load Testing.
Users with this role can:
- View info on load tests and reports on their run.
- Create, modify, delete, run and stop load tests and load test data into them.
- View info on load test configurations, as well as create, modify, and delete such configurations.
- View info on agents and create, modify, delete, run, restart, and stop them.
- Register external agents in Load Testing.
- View info on Yandex Object Storage buckets used in load tests, upload test data to them, and create, modify, and delete buckets.
- View info on regression dashboards, as well as create, modify, and delete such dashboards.
- View information on the relevant folder.
This role also includes the loadtesting.editor
permissions.
loadtesting.loadTester
The loadtesting.loadTester
role enables managing agents, load tests and their settings, data stores, and regression dashboards.
Users with this role can:
- View info on load tests and reports on their run.
- Create, modify, delete, run and stop load tests and load test data into them.
- View info on load test configurations, as well as create, modify, and delete such configurations.
- View info on agents and create, modify, delete, run, restart, and stop them.
- View info on Yandex Object Storage buckets used in load tests, upload test data to them, and create, modify, and delete buckets.
- View info on regression dashboards, as well as create, modify, and delete such dashboards.
- View information on the relevant folder.
loadtesting.generatorClient
The loadtesting.generatorClient
role allows you to create, modify, and run load tests using an agent, as well as enables uploading test results to the storage.
Users with this role can:
- Create, edit, and run load tests.
- Create and edit load test configurations.
- Upload the test result data to the storage.
Assign this role to the service account under which you create a VM with an agent.
loadtesting.externalAgent
The loadtesting.externalAgent
role enables registering external agents in Load Testing, as well as creating, modifying, and running load tests using an agent.
Users with this role can:
- Register external agents in Load Testing.
- Create, edit, and run load tests.
- Create and edit load test configurations.
- Upload the test result data to the storage.
This role also includes the loadtesting.generatorClient
permissions.
Assign this role to the service account under which you create a VM with an agent.
For more information, see Access management in Load Testing.
Yandex Lockbox
lockbox.auditor
The lockbox.auditor
role allows you to get information about secrets and permissions to them, folder data, and information about Yandex Lockbox quotas.
lockbox.viewer
The lockbox.viewer
role lets you read the metadata of the secret.
The role includes all permissions granted by the lockbox.auditor
role.
lockbox.editor
The lockbox.editor
role lets you manage a secret and change its contents.
lockbox.admin
The lockbox.admin
role lets you manage your secrets and access to them.
lockbox.payloadViewer
The lockbox.payloadViewer
role is designed for service accounts and lets you access the contents of the secret.
For more information, see Access management in Yandex Lockbox.
Managed databases
mdb.auditor
The mdb.auditor
role grants the minimum permissions required to view information about managed database clusters (without access to data or runtime logs).
Users with this role can view information about managed database clusters, quotas, and folders.
This role also includes the managed-elasticsearch.auditor
, managed-opensearch.auditor
, managed-kafka.auditor
, managed-mysql.auditor
, managed-sqlserver.auditor
, managed-postgresql.auditor
, managed-greenplum.auditor
, managed-clickhouse.auditor
, managed-redis.auditor
, and managed-mongodb.auditor
permissions.
mdb.viewer
The mdb.viewer
role grants read access to managed database clusters and cluster runtime logs.
Users with this role can read from databases, inspect the logs of managed database clusters, and view information about clusters, quotas, and folders.
This role also includes the mdb.auditor
, managed-elasticsearch.viewer
, managed-opensearch.viewer
, managed-kafka.viewer
, managed-mysql.viewer
, managed-sqlserver.viewer
, managed-postgresql.viewer
, managed-greenplum.viewer
, managed-clickhouse.viewer
, managed-redis.viewer
, managed-mongodb.viewer
, and dataproc.viewer
permissions.
mdb.admin
The mdb.admin
role grants full access to managed database clusters.
Users with this role can create, edit, delete, run, and stop managed database clusters, manage cluster access, read and write to databases, and view information about clusters, runtime logs, quotas, and folders.
This role also includes the mdb.viewer
, vpc.user
, managed-elasticsearch.admin
, managed-opensearch.admin
, managed-kafka.admin
, managed-mysql.admin
, managed-sqlserver.admin
, managed-postgresql.admin
, managed-greenplum.admin
, managed-clickhouse.admin
, managed-redis.admin
, managed-mongodb.admin
, and dataproc.admin
permissions.
Yandex Managed Service for Apache Airflow™
managed-airflow.viewer
The managed-airflow.viewer
role allows you to view information about the Apache Airflow™ clusters.
managed-airflow.editor
The managed-airflow.editor
role allows you to manage the Apache Airflow™ clusters, as well as get information about quotas and service resource operations.
Users with this role can:
- View information about the Apache Airflow™ clusters, as well as create, modify, and delete them.
- Use the web interface to access the Apache Airflow™ components.
This role also includes the managed-airflow.viewer
permissions.
To create Apache Airflow™ clusters, you also need the vpc.user
role.
managed-airflow.admin
The managed-airflow.admin
role allows you to manage the Apache Airflow™ clusters and get information about quotas and service resource operations.
Users with this role can:
- Manage access to the Apache Airflow™ clusters.
- View information about the Apache Airflow™ clusters, as well as create, modify, and delete them.
- Use the web interface to access the Apache Airflow™ components.
This role also includes the managed-airflow.editor
permissions.
To create Apache Airflow™ clusters, you also need the vpc.user
role.
For more information, see Access management in Managed Service for Apache Airflow™.
Yandex Managed Service for Apache Kafka®
managed-kafka.auditor
The managed-kafka.auditor
role allows you to view information about Apache Kafka® clusters, as well as quotas and resource operations for Managed Service for Apache Kafka®.
managed-kafka.viewer
The managed-kafka.viewer
role allows you to view information about Apache Kafka® clusters and their logs, as well as information on quotas and resource operations for Managed Service for Apache Kafka®.
This role also includes the managed-kafka.auditor
permissions.
managed-kafka.editor
The managed-kafka.editor
role allows you to manage Apache Kafka® clusters and view their logs, as well as get information about quotas and service resource operations.
Users with this role can:
- View information about Apache Kafka® clusters, as well as create, modify, delete, run, and stop them.
- View Apache Kafka® cluster logs.
- View information about quotas of Managed Service for Apache Kafka®.
- View information about resource operations for Managed Service for Apache Kafka®.
This role also includes the managed-kafka.viewer
permissions.
To create Apache Kafka® clusters, you also need the vpc.user
role.
managed-kafka.admin
The managed-kafka.admin
role allows you to manage Apache Kafka® clusters and view their logs, as well as get information about quotas and service resource operations.
Users with this role can:
- Manage access to Apache Kafka® clusters.
- View information about Apache Kafka® clusters, as well as create, modify, delete, run, and stop them.
- View Apache Kafka® cluster logs.
- View information about quotas of Managed Service for Apache Kafka®.
- View information about resource operations for Managed Service for Apache Kafka®.
This role also includes the managed-kafka.editor
permissions.
To create Apache Kafka® clusters, you also need the vpc.user
role.
For more information, see Access management in Managed Service for Apache Kafka®.
Yandex Managed Service for ClickHouse®
managed-clickhouse.auditor
The managed-clickhouse.auditor
role allows you to view information about ClickHouse® clusters, as well as quotas and resource operations for Managed Service for ClickHouse®.
managed-clickhouse.viewer
The managed-clickhouse.viewer
role allows you to view information about ClickHouse® clusters and their logs, as well as information on quotas and resource operations for Managed Service for ClickHouse®.
This role also includes the managed-clickhouse.auditor
permissions.
managed-clickhouse.editor
The managed-clickhouse.editor
role allows you to manage ClickHouse® clusters and view their logs, as well as get information about quotas and service resource operations.
Users with this role can:
- View information about ClickHouse® clusters, as well as create, modify, delete, run, and stop them.
- View ClickHouse® cluster logs.
- View information about quotas of Managed Service for ClickHouse®.
- View information about operations with resources of Managed Service for ClickHouse®.
This role also includes the managed-clickhouse.viewer
permissions.
To create ClickHouse® clusters, you also need the vpc.user
role.
managed-clickhouse.admin
The managed-clickhouse.admin
role allows you to manage ClickHouse® clusters and view their logs, as well as get information about quotas and service resource operations.
Users with this role can:
- Manage access to ClickHouse® clusters.
- View information about ClickHouse® clusters, as well as create, modify, delete, run, and stop them.
- View ClickHouse® cluster logs.
- View information about quotas of Managed Service for ClickHouse®.
- View information about operations with resources of Managed Service for ClickHouse®.
This role also includes the managed-clickhouse.editor
permissions.
To create ClickHouse® clusters, you also need the vpc.user
role.
For more information, see Access management in Managed Service for ClickHouse®.
Yandex Managed Service for GitLab
gitlab.auditor
The gitlab.auditor
role enables you to view the Managed Service for GitLab instance list and information on each instance and its backups.
gitlab.viewer
The gitlab.viewer
role enables you to view the Managed Service for GitLab instance list and information on each instance and its backups.
It includes the gitlab.auditor
role.
gitlab.editor
The gitlab.editor
role enables you to create, edit, and delete instances, create and restore from backups, and reschedule and run scheduled maintenance.
gitlab.admin
The gitlab.admin
role enables you to create, edit, and delete instances, as well as grant permissions to other users.
This role is assigned by default. It includes the gitlab.editor
role.
For more information, see Access management in Managed Service for GitLab.
Yandex Managed Service for Greenplum®
managed-greenplum.auditor
The managed-greenplum.auditor
role allows you to view information about Greenplum® clusters and hosts, as well as quotas and resource operations for Managed Service for Greenplum®.
managed-greenplum.viewer
The managed-greenplum.viewer
role allows you to view information about Greenplum® clusters and hosts, their logs, as well as information about quotas and service resource operations.
Users with this role can:
- View information about Greenplum® clusters.
- View information about Greenplum® cluster hosts.
- View information about Greenplum® backups.
- View Greenplum® cluster logs.
- View information about the results of Greenplum® cluster performance diagnostics.
- View information about quotas of Managed Service for Greenplum®.
- View information about resource operations for Managed Service for Greenplum®.
This role also includes the managed-greenplum.auditor
permissions.
managed-greenplum.editor
The managed-greenplum.editor
role allows you to manage Greenplum® clusters and view their logs, as well as get information about quotas and service resource operations.
Users with this role can:
- View information about Greenplum® clusters, as well as create, modify, delete, run, and stop them.
- View information about Greenplum® cluster hosts, as well as create, modify, and delete them.
- View information about Greenplum® backups, as well as create and delete them.
- View Greenplum® cluster logs.
- View information about the results of Greenplum® cluster performance diagnostics.
- View information about quotas of Managed Service for Greenplum®.
- View information about resource operations for Managed Service for Greenplum®.
This role also includes the managed-greenplum.viewer
permissions.
To create Greenplum® clusters, you also need the vpc.user
role.
managed-greenplum.admin
The managed-greenplum.admin
role allows you to manage Greenplum® clusters and view their logs, as well as get information about quotas and service resource operations.
Users with this role can:
- Manage access to Greenplum® clusters.
- View information about Greenplum® clusters, as well as create, modify, delete, run, and stop them.
- View information about Greenplum® cluster hosts, as well as create, modify, and delete them.
- View information about Greenplum® backups, as well as create and delete them.
- View Greenplum® cluster logs.
- View information about the results of Greenplum® cluster performance diagnostics.
- View information about quotas of Managed Service for Greenplum®.
- View information about resource operations for Managed Service for Greenplum®.
This role also includes the managed-greenplum.editor
permissions.
To create Greenplum® clusters, you also need the vpc.user
role.
For more information, see Access management in Managed Service for Greenplum®.
Yandex Managed Service for Kubernetes
k8s.viewer
The k8s.viewer
role enables you to view information about Kubernetes clusters and node groups.
k8s.editor
The k8s.editor
role enables you to create, delete, edit, stop, and start Kubernetes clusters and node groups.
It includes the k8s.viewer
role.
k8s.admin
The k8s.admin
role enables you to create, delete, edit, stop, and start Kubernetes clusters and node groups.
It includes the k8s.editor
role.
k8s.cluster-api.viewer
Users with the k8s.cluster-api.viewer
role get the yc:view
group and the view
role in Kubernetes RBAC for all namespaces in a cluster.
k8s.cluster-api.editor
Users with the k8s.cluster-api.editor
role get the yc:edit
group and the edit
role in Kubernetes RBAC for all namespaces in a cluster.
k8s.cluster-api.cluster-admin
Users with the k8s.cluster-api.cluster-admin
role get the yc:cluster-admin
group and the cluster-admin
role in Kubernetes RBAC.
k8s.tunnelClusters.agent
k8s.tunnelClusters.agent
is a special role for creating Kubernetes clusters with tunnel mode. It enables you to create node groups, disks, and internal load balancers. You can use previously created Yandex Key Management Service keys to encrypt and decrypt secrets. It includes the following roles:
compute.admin
iam.serviceAccounts.user
k8s.viewer
kms.keys.encrypterDecrypter
load-balancer.privateAdmin
k8s.clusters.agent
k8s.clusters.agent
is a special role for the Kubernetes cluster service account. It enables you to create node groups, disks, and internal load balancers. You can use previously created Yandex Key Management Service keys to encrypt and decrypt secrets and connect previously created security groups. When combined with the load-balancer.admin
role, it enables you to create a network load balancer with a public IP address. It includes the following roles:
k8s.tunnelClusters.agent
vpc.privateAdmin
For more information, see Access management in Managed Service for Kubernetes.
Yandex Managed Service for MongoDB
managed-mongodb.auditor
The managed-mongodb.auditor
role allows you to view information about MongoDB hosts and clusters, as well as quotas and resource operations for Managed Service for MongoDB.
managed-mongodb.viewer
The managed-mongodb.viewer
role allows you to view information about clusters, hosts, shards, databases, MongoDB users, cluster logs, as well as about quotas and service resource operations.
Users with this role can:
- View information about MongoDB clusters.
- View information about MongoDB cluster hosts.
- View information about MongoDB cluster shards.
- View information about MongoDB databases.
- View information about MongoDB users.
- View information about MongoDB backups.
- View information about MongoDB alerts.
- View MongoDB cluster logs.
- View information about the results of MongoDB cluster performance diagnostics.
- View information about quotas of Managed Service for MongoDB.
- View information about resource operations for Managed Service for MongoDB.
This role also includes the managed-mongodb.auditor
permissions.
managed-mongodb.editor
The managed-mongodb.editor
role allows you to manage MongoDB clusters and view their logs, as well as get information about quotas and service resource operations.
Users with this role can:
- Create, modify, delete, run and stop MongoDB clusters and view information about them.
- Create, modify, and delete MongoDB cluster hosts and view information about them.
- Create and delete MongoDB cluster shards and view information about them.
- Create and delete MongoDB databases and view information about them.
- Create, modify, and delete MongoDB users and view information about them.
- Create MongoDB backups and view information about them.
- Create, modify, and delete MongoDB alerts and view information about them.
- View MongoDB cluster logs.
- View information about the results of MongoDB cluster performance diagnostics.
- View information about quotas of Managed Service for MongoDB.
- View information about resource operations for Managed Service for MongoDB.
This role also includes the managed-mongodb.viewer
permissions.
To create MongoDB clusters, you also need the vpc.user
role.
managed-mongodb.admin
The managed-mongodb.admin
role allows you to manage MongoDB clusters and view their logs, as well as get information about quotas and service resource operations.
Users with this role can:
- Manage access to MongoDB clusters.
- Create, modify, delete, run and stop MongoDB clusters and view information about them.
- Create, modify, and delete MongoDB cluster hosts and view information about them.
- Create and delete MongoDB cluster shards and view information about them.
- Create and delete MongoDB databases and view information about them.
- Create, modify, and delete MongoDB users and view information about them.
- Create MongoDB backups and view information about them.
- Create, modify, and delete MongoDB alerts and view information about them.
- View MongoDB cluster logs.
- View information about the results of MongoDB cluster performance diagnostics.
- View information about quotas of Managed Service for MongoDB.
- View information about resource operations for Managed Service for MongoDB.
This role also includes the managed-mongodb.editor
permissions.
To create MongoDB clusters, you also need the vpc.user
role.
For more information, see Access management in Managed Service for MongoDB.
Yandex Managed Service for MySQL
managed-mysql.auditor
The managed-mysql.auditor
role allows you to view information on MySQL® hosts and clusters, as well as quotas and resource operations for Managed Service for MySQL®.
managed-mysql.viewer
The managed-mysql.viewer
role allows you to view information on MySQL® clusters, hosts, databases, users, and cluster logs, as well as on quotas and resource operations.
Users with this role can:
- View information on MySQL® clusters.
- View information on MySQL® cluster hosts.
- View information on MySQL® databases.
- View information on MySQL® users.
- View information on MySQL® DB backups.
- View information on MySQL® alerts.
- View MySQL® cluster logs.
- View information on the results of MySQL® cluster performance diagnostics.
- View information on quotas of Managed Service for MySQL®.
- View information on resource operations for Managed Service for MySQL®.
This role also includes the managed-mysql.auditor
permissions.
managed-mysql.editor
The managed-mysql.editor
role allows you to manage MySQL® clusters and view their logs, as well as get information on service quotas and resource operations.
Users with this role can:
- View information on MySQL® clusters, as well as create, modify, delete, run, and stop them.
- View information on MySQL® cluster hosts, as well as create, modify, and delete them.
- View information on MySQL® databases, as well as create, modify, and delete them.
- View information on MySQL® users, as well as create, modify, and delete them.
- View information on MySQL® DB backups, as well as create and delete them.
- View information on MySQL® alerts, as well as create, modify, and delete them.
- View MySQL® cluster logs.
- View information on the results of MySQL® cluster performance diagnostics.
- View information on quotas of Managed Service for MySQL®.
- View information on resource operations for Managed Service for MySQL®.
This role also includes the managed-mysql.viewer
permissions.
To create MySQL® clusters, you also need the vpc.user
role.
managed-mysql.admin
The managed-mysql.admin
role allows you to manage MySQL® clusters and view their logs, as well as get information on quotas and resource operations.
Users with this role can:
- Manage access to MySQL® clusters.
- View information on MySQL® clusters, as well as create, modify, delete, run, and stop them.
- View information on MySQL® cluster hosts, as well as create, modify, and delete them.
- View information on MySQL® databases, as well as create, modify, and delete them.
- View information on MySQL® users, as well as create, modify, and delete them.
- View information on MySQL® DB backups, as well as create and delete them.
- View information on MySQL® alerts, as well as create, modify, and delete them.
- View MySQL® cluster logs.
- View information on the results of MySQL® cluster performance diagnostics.
- View information on quotas of Managed Service for MySQL®.
- View information on resource operations for Managed Service for MySQL®.
This role also includes the managed-mysql.editor
permissions.
To create MySQL® clusters, you also need the vpc.user
role.
For more information, see Access management in Managed Service for MySQL.
Yandex Managed Service for OpenSearch
managed-opensearch.auditor
The managed-opensearch.auditor
role allows you to view information on OpenSearch clusters, as well as quotas and resource operations for Managed Service for OpenSearch.
managed-opensearch.viewer
The managed-opensearch.viewer
role allows you to view information on OpenSearch clusters and their logs, as well as on quotas and resource operations for Managed Service for OpenSearch.
This role also includes the managed-opensearch.auditor
permissions.
managed-opensearch.editor
The managed-opensearch.editor
role allows you to manage OpenSearch clusters and view their logs, as well as get information on quotas and resource operations.
Users with this role can:
- View information on OpenSearch clusters, as well as create, modify, delete, run, and stop them.
- View OpenSearch cluster logs.
- View information on quotas of Managed Service for OpenSearch.
- View information on resource operations for Managed Service for OpenSearch.
This role also includes the managed-opensearch.viewer
permissions.
To create OpenSearch clusters, you also need the vpc.user
role.
managed-opensearch.admin
The managed-opensearch.admin
role allows you to manage OpenSearch clusters and view their logs, as well as get information on quotas and resource operations.
Users with this role can:
- Manage access to OpenSearch clusters.
- View information on OpenSearch clusters, as well as create, modify, delete, run, and stop them.
- View OpenSearch cluster logs.
- View information on quotas of Managed Service for OpenSearch.
- View information on resource operations for Managed Service for OpenSearch.
This role also includes the managed-opensearch.editor
permissions.
To create OpenSearch clusters, you also need the vpc.user
role.
For more information, see Managing access to Managed Service for OpenSearch.
Yandex Managed Service for PostgreSQL
managed-postgresql.auditor
The managed-postgresql.auditor
role allows you to view information on PostgreSQL hosts and clusters, as well as quotas and resource operations for Managed Service for PostgreSQL.
managed-postgresql.viewer
The managed-postgresql.viewer
role allows you to view information on PostgreSQL clusters, hosts, databases, users, and cluster logs, as well as on quotas and resource operations.
Users with this role can:
- View information on PostgreSQL clusters.
- View information on PostgreSQL cluster hosts.
- View information on PostgreSQL databases.
- View information on PostgreSQL users.
- View information on PostgreSQL DB backups.
- View information on PostgreSQL alerts.
- View PostgreSQL cluster logs.
- View information on the results of PostgreSQL cluster performance diagnostics.
- View information on quotas of Managed Service for PostgreSQL.
- View information on resource operations for Managed Service for PostgreSQL.
This role also includes the managed-postgresql.auditor
permissions.
managed-postgresql.editor
The managed-postgresql.editor
role allows you to manage PostgreSQL clusters and view their logs, as well as get information on service quotas and resource operations.
Users with this role can:
- View information on PostgreSQL clusters, as well as create, modify, delete, run, and stop them.
- View information on PostgreSQL cluster hosts, as well as create, modify, and delete them.
- View information on PostgreSQL databases, as well as create, modify, and delete them.
- View information on PostgreSQL users, as well as create, modify, and delete them.
- View information on PostgreSQL DB backups, as well as create and delete them.
- View information on PostgreSQL alerts, as well as create, modify, and delete them.
- View PostgreSQL cluster logs.
- View information on the results of PostgreSQL cluster performance diagnostics.
- View information on quotas of Managed Service for PostgreSQL.
- View information on resource operations for Managed Service for PostgreSQL.
This role also includes the managed-postgresql.viewer
permissions.
To create PostgreSQL clusters, you also need the vpc.user
role.
managed-postgresql.admin
The managed-postgresql.admin
role allows you to manage PostgreSQL clusters and view their logs, as well as get information on quotas and resource operations.
Users with this role can:
- Manage access to PostgreSQL clusters.
- View information on PostgreSQL clusters, as well as create, modify, delete, run, and stop them.
- View information on PostgreSQL cluster hosts, as well as create, modify, and delete them.
- View information on PostgreSQL databases, as well as create, modify, and delete them.
- View information on PostgreSQL users, as well as create, modify, and delete them.
- View information on PostgreSQL DB backups, as well as create and delete them.
- View information on PostgreSQL alerts, as well as create, modify, and delete them.
- View PostgreSQL cluster logs.
- View information on the results of PostgreSQL cluster performance diagnostics.
- View information on quotas of Managed Service for PostgreSQL.
- View information on resource operations for Managed Service for PostgreSQL.
This role also includes the managed-postgresql.editor
permissions.
To create PostgreSQL clusters, you also need the vpc.user
role.
For more information, see Access management in Managed Service for PostgreSQL.
Yandex Managed Service for Redis
managed-redis.auditor
The managed-redis.auditor
role allows you to view information on Redis hosts and clusters, as well as quotas and resource operations for Managed Service for Redis.
managed-redis.viewer
The managed-redis.viewer
role allows you to view information on Redis hosts and clusters and their logs, as well as on quotas and resource operations.
Users with this role can:
- View information on Redis clusters.
- View information on Redis cluster hosts.
- View information on Redis cluster shards.
- View information on Redis DB backups.
- View information on Redis alerts.
- View Redis cluster logs.
- View information on quotas of Managed Service for Redis.
- View information on resource operations for Managed Service for Redis.
This role also includes the managed-redis.auditor
permissions.
managed-redis.editor
The managed-redis.editor
role allows you to manage Redis clusters and view their logs, as well as get information on service quotas and resource operations.
Users with this role can:
- View information on Redis clusters, as well as create, modify, delete, run, and stop them.
- View information on Redis cluster hosts, as well as create, modify, and delete them.
- View information on Redis cluster shards, as well as create and delete them.
- View information on Redis DB backups and create those.
- View information on Redis alerts, as well as create, modify, and delete them.
- View Redis cluster logs.
- View information on quotas of Managed Service for Redis.
- View information on resource operations for Managed Service for Redis.
This role also includes the managed-redis.viewer
permissions.
To create Redis clusters, you also need the vpc.user
role.
managed-redis.admin
The managed-redis.admin
role allows you to manage Redis clusters and view their logs, as well as get information on quotas and resource operations.
Users with this role can:
- Manage access to Redis clusters.
- View information on Redis clusters, as well as create, modify, delete, run, and stop them.
- View information on Redis cluster hosts, as well as create, modify, and delete them.
- View information on Redis cluster shards, as well as create and delete them.
- View information on Redis DB backups and create those.
- View information on Redis alerts, as well as create, modify, and delete them.
- View Redis cluster logs.
- View information on quotas of Managed Service for Redis.
- View information on resource operations for Managed Service for Redis.
This role also includes the managed-redis.editor
permissions.
To create Redis clusters, you also need the vpc.user
role.
For more information, see Access management in Managed Service for Redis.
Yandex Managed Service for YDB
ydb.auditor
The ydb.auditor
role allows you to:
- Establish DB connections.
- View the list of schema objects (tables, indexes, and folders).
- View descriptions of schema objects (table, index, and folder).
- View DB information.
Users with this role can also retrieve the list of folders in the cloud and the list of resources in a cloud folder.
ydb.viewer
The ydb.viewer
role grants permission to perform the following actions:
- Establish DB connections.
- View a list of schema objects (tables, indexes, and folders).
- View descriptions of schema objects (tables, indexes, and folders).
- View DB information.
- Run queries to read data.
This role also enables the user to retrieve a list of folders in the cloud and a list of resources in a cloud folder.
All the ydb.viewer
permissions are included in the viewer
role.
ydb.editor
The ydb.editor
role grants permission to perform the following actions:
- Manage DBs, for example, create a DB or reconfigure it.
- Create, modify, and delete schema objects (tables, indexes, and folders) in a database.
- Run the statements that write data.
The ydb.editor
role also includes all permissions of the viewer
role.
All ydb.editor
permissions are included in the editor
role.
ydb.admin
The ydb.admin
role has the same permissions as the ydb.editor
role.
ydb.kafkaApi.client
The ydb.kafkaApi.client
role allows you to work with ydb
over the Kafka API protocol using plain authentication over an SSL connection.
For more information, see Access management in Managed Service for YDB.
Yandex Message Queue
ymq.reader
The ymq.reader
role grants permission to read and delete messages, set message visibility timeouts, and clear a queue of messages. It allows you to get a list of queues and queue information.
ymq.writer
The ymq.writer
role grants permission to write messages to a queue and create new queues. It allows you to get a list of queues and queue information.
ymq.admin
The ymq.admin
role includes access rights of the ymq.reader
and ymq.writer
roles and allows updating queue attributes and deleting queues. It allows you to get a list of queues and queue information.
For more information, see Access management in Message Queue.
Yandex Monitoring
monitoring.viewer
The monitoring.viewer
role grants permission to view the created dashboards and widgets, as well as the uploaded metrics.
monitoring.editor
The monitoring.editor
role grants permission to create dashboards and widgets as well as upload metrics and manage alerts.
The monitoring.editor
role also includes all permissions of the monitoring.viewer
role.
monitoring.admin
The monitoring.admin
role grants permission to create dashboards and widgets as well as upload metrics and manage alerts.
The monitoring.admin
role also includes all permissions of the monitoring.editor
role.
For more information, see Access management in Monitoring.
Yandex Network Load Balancer
load-balancer.auditor
The load-balancer.auditor
role enables you to get lists of target groups and network load balancers, details on them and their operations, and view information about the cloud, cloud limits, and the folder.
load-balancer.viewer
The load-balancer.viewer
role lets you view resource model objects.
load-balancer.privateAdmin
The load-balancer.privateAdmin
role lets you create, update, and delete load balancers and target groups without granting access to them from the internet.
load-balancer.admin
The load-balancer.admin
role lets you create both private and public load balancers.
For more information, see Access management in Network Load Balancer.
Yandex Object Storage
storage.viewer
The storage.viewer
role gives you read access to the list of buckets, settings, and data.
storage.configViewer
The storage.configViewer
role enables you to view the security settings of buckets and their objects. It does not grant access to data stored in buckets.
storage.configurer
The storage.configurer
role enables you to manage the settings of object lifecycles, static website hosting, access policy, and CORS.
It does not permit the user to manage access control list (ACL) or public access settings. It does not grant access to bucket data.
storage.uploader
The storage.uploader
role enables you to upload objects to a bucket and overwrite previously uploaded ones. Since the storage.uploader
role inherits the permissions of the storage.viewer
role, it also grants permission to list bucket objects and download them.
This role does not allow you to delete objects or configure buckets.
storage.editor
The storage.editor
role enables you to perform any operation with buckets and objects in the folder: create (including a publicly accessible bucket), delete, and edit them.
This role does not allow you to manage access control list (ACL) settings.
storage.admin
The storage.admin
role is intended for managing Object Storage. Users with this role can:
- Create buckets.
- Delete buckets.
- Assign an access control list (ACL).
- Manage any bucket object.
- Manage any bucket website.
- Configure other bucket parameters and objects in the bucket.
This role enables the user to grant other users access to a bucket or a specific object in it.
This role can be assigned by the administrator of the cloud (the admin
role).
For more information, see Managing access with Yandex Identity and Access Management.
Yandex Query
yq.viewer
Users with the yq.viewer
role can view queries and their results.
yq.editor
Users assigned the yq.editor
role can view, edit, and delete their connections and queries, as well as run the queries they create. The yq.editor
role includes all permissions of the yq.viewer
role.
yq.admin
The yq.admin
role allows you to manage any Query resources, including those labeled as private. The yq.admin
role includes all permissions of the yq.editor
role.
yq.invoker
Users with the yq.invoker
role can run queries in Query. The role is designed to automate query execution by service accounts. For example, you can use it to run queries by an event or on schedule.
For more information, see Access management in Query.
Yandex Resource Manager
resource-manager.auditor
The resource-manager.auditor
role grants permission to view cloud or folder metadata and list cloud or folder roles. It is assigned to an organization, a cloud, or a folder.
resource-manager.viewer
The resource-manager.viewer
role grants permission to view cloud or folder information and list access rights granted to a cloud or a folder. It is assigned for an organization, a cloud, or a folder.
resource-manager.editor
The resource-manager.editor
role grants permission to create, edit, or delete clouds or folders. It is assigned for an organization, a cloud, or a folder.
resource-manager.admin
The resource-manager.admin
role grants permission to edit, delete, and manage access to clouds and folders. It is assigned for an organization, a cloud, or a folder.
resource-manager.clouds.member
The resource-manager.clouds.member
role is required for everyone except the cloud owners and service accounts to access resources in a cloud not owned by the organization.
resource-manager.clouds.owner
The resource-manager.clouds.owner
role grants full access to the cloud and its resources. The role can only be assigned for a cloud.
For more information, see Access management in Resource Manager.
Yandex Search API
search-api.executor
The search-api.executor
role grants permission to use Search API.
For more information, see Access management in Search API.
Yandex Serverless Containers
serverless-containers.auditor
The serverless-containers.auditor
role lets you view a list of containers and all their details, except the environment variables of a revision.
serverless-containers.viewer
The serverless-containers.viewer
role lets you view a list of containers and their details.
serverless-containers.editor
The serverless-containers.editor
role allows you to create, edit, and delete containers, as well as create container revisions.
serverless-containers.admin
The serverless-containers.admin
role lets you manage container access settings.
serverless-containers.containerInvoker
The serverless-containers.containerInvoker
role allows you to invoke containers.
For more information, see Access management in Serverless Containers.
Yandex SmartCaptcha
smart-captcha.auditor
The smart-captcha.auditor
role enables you to view CAPTCHA information and permissions.
smart-captcha.viewer
The smart-captcha.viewer
role enables you to view CAPTCHA information.
The role includes all permissions granted by the smart-captcha.auditor
role.
smart-captcha.editor
The smart-captcha.editor
role enables you to manage CAPTCHAS (create, change, or delete them). Includes all access rights of the smart-captcha.viewer
role.
smart-captcha.admin
The smart-captcha.admin
role enables you to manage CAPTCHAS and access to them. Includes all access rights of the smart-captcha.editor
role.
For more information, see Access management in SmartCaptcha.
Yandex Smart Web Security
smart-web-security.auditor
The smart-web-security.auditor
role allows you to view information on security profiles in Smart Web Security and the metadata of the relevant cloud and folder.
Users with this role can:
- View info on security profiles in Smart Web Security.
- View info on access bindings for security profiles.
- View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
- View information on the relevant cloud.
- View info on the relevant folder.
To assign the smart-web-security.auditor
role, you need the admin
role for the cloud or smart-web-security.admin
role for the folder.
smart-web-security.viewer
The smart-web-security.viewer
role allows you to view information on security profiles in Smart Web Security, as well as on the relevant cloud and folder.
Users with this role can:
- View info on security profiles in Smart Web Security.
- View info on access bindings for security profiles.
- View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
- View information on the relevant cloud.
- View info on the relevant folder.
This role also includes the smart-web-security.auditor
permissions.
To assign the smart-web-security.viewer
role, you either need the admin
role for the cloud or the smart-web-security.admin
one for the folder.
smart-web-security.user
The smart-web-security.user
role allows you to view information on security profiles in Smart Web Security and use them.
Users with this role can:
- View info on security profiles in Smart Web Security and use them in other Yandex Cloud services.
- View info on access bindings for security profiles.
- View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
- View information on the relevant cloud.
- View info on the relevant folder.
This role also includes the smart-web-security.viewer
permissions.
To assign the smart-web-security.user
role, you need either the admin
role for the cloud or the smart-web-security.admin
one for the folder.
smart-web-security.editor
The smart-web-security.editor
role allows you to use security profiles in Smart Web Security and manage them.
Users with this role can:
- View info on security profiles in Smart Web Security, create, modify, and delete them, as well as use these security profiles in other Yandex Cloud services.
- View info on access bindings for security profiles.
- View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
- View information on the relevant cloud.
- View info on the relevant folder.
This role also includes the smart-web-security.user
permissions.
To assign the smart-web-security.editor
role, you need the admin
role for the cloud or the smart-web-security.admin
one for the folder.
smart-web-security.admin
The smart-web-security.admin
role allows you to use security profiles in Smart Web Security, manage them, and manage access to them.
Users with this role can:
- View info on access bindings for security profiles and modify such bindings.
- View info on security profiles in Smart Web Security, create, modify, and delete them, as well as use these security profiles in other Yandex Cloud services.
- View the list of L7 load balancer virtual hosts in Yandex Application Load Balancer to which the security profile is connected.
- View information on the relevant cloud.
- View info on the relevant folder.
This role also includes the smart-web-security.editor
permissions.
To assign the smart-web-security.admin
role, you need the admin
role for the cloud.
For more information, see Access management in Smart Web Security.
Yandex SpeechKit
ai.speechkit-stt.user
The ai.speechkit-stt.user
role allows you to use Yandex SpeechKit for speech recognition, as well as view info on the relevant cloud, folder, and quotas.
ai.speechkit-tts.user
The ai.speechkit-tts.user
role allows you to use Yandex SpeechKit for speech synthesis, as well as view info on the relevant cloud, folder, and quotas.
For more information, see Access management in SpeechKit.
Yandex SpeechSense
speech-sense.auditor
The speech-sense.auditor
role enables you to view names, descriptions, and lists of members of a project or a space with all of its projects. The role does not provide access to project data.
speech-sense.viewer
The speech-sense.viewer
role enables you to view project or space characteristics, the list of their members, connections, and dashboards.
The speech-sense.viewer
role includes all permissions of the speech-sense.auditor
role.
speech-sense.editor
The speech-sense.editor
role enables you to edit a project, its description, dashboards, and alerts, create and edit its classifiers, and run analyses. When assigned for a space, the role allows you to edit the space and create projects and connections within it.
The speech-sense.editor
role includes all permissions of the speech-sense.viewer
role.
speech-sense.admin
The speech-sense.admin
role assigned for a space or project enables you to perform any action in them: view dialogs, edit connections, or run analyses. The role grants permission to assign roles to other users.
The speech-sense.admin
role includes all permissions of the speech-sense.editor
and speech-sense.data.editor
roles.
speech-sense.spaces.creator
The speech-sense.spaces.creator
role allows you to create spaces in SpeechSense.
speech-sense.data.viewer
The speech-sense.data.viewer
role allows you to view a project's name or description, the list of connections, dashboards, and project members. It also enables you to search inside documents, listen to dialogs, and view their text transcripts. When assigned for a space, this role enables you to view all of its projects without editing them.
speech-sense.data.editor
The speech-sense.data.editor
role enables you to upload dialogs to project or space connections, evaluate these dialogs and comment on them in the system.
The speech-sense.data.editor
role includes all permissions of the speech-sense.data.viewer
role.
Users with roles like speech-sense.data.*
can view and rate the contents of documents but do not have access to aggregate information.
For more information, see Access management in SpeechSense.
Yandex Translate
ai.translate.user
The ai.translate.user
role allows you to use Yandex Translate to translate texts, as well as view info on the relevant cloud, folder, and quotas.
For more information, see Access management in Translate.
Yandex Virtual Private Cloud
vpc.auditor
The vpc.auditor
roles allows you to view service metadata, including information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.
- Get a list of cloud networks and view information on them.
- Get a list of subnets and view information on them.
- Get a list of cloud resource addresses and view information on them.
- Get a list of route tables and view information on them.
- Get a list of security groups and view information on them.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
vpc.viewer
The vpc.viewer
role allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on the quotas and resource operations.
- Get a list of cloud networks and view information on them.
- Get a list of subnets and view information on them.
- Get a list of cloud resource addresses and view information on them.
- Get a list of route tables and view information on them.
- Get a list of security groups and view information on them.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.auditor
permissions.
vpc.user
The vpc.user
role allows you to use cloud networks, subnets, route tables, gateways, security groups, and IP addresses, get information on these resources, as well as on the quotas and resource operations.
- View information on cloud networks and use them.
- View information on subnets and use them.
- View information on cloud resource addresses and use them.
- View information on route tables and use them.
- View information on security groups and use them.
- View information on NAT gateways and connect them to route tables.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
vpc.externalAddresses.user
The vpc.externalAddresses.user
role allows you to view the list of private and public addresses of the cloud resources; it also enables viewing info on such addresses, using them, and managing the external network connectivity.
vpc.admin
The vpc.admin
role allows you to manage cloud networks, subnets, route tables, NAT gateways, security groups, internal and public IP addresses, as well as external network connectivity.
- View information on cloud networks, as well as create, modify, and delete them.
- Configure external access to cloud networks.
- Manage connectivity of multiple cloud networks.
- Manage multi-interface instances that provide connectivity between multiple networks.
- View information on subnets, as well as create, modify, and delete them.
- View information on route tables, as well as create, modify, and delete them.
- Link route tables to subnets.
- View information on NAT gateways, as well as create, modify, and delete them.
- Connect NAT gateways to route tables.
- View information on security groups, as well as create, modify, and delete them.
- Create and delete default security groups in cloud networks.
- Create and delete security group rules, as well as edit their metadata.
- Configure DHCP in subnets.
- View information on cloud resource addresses, as well as create, update, and delete internal and public IP addresses.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.privateAdmin
, vpc.publicAdmin
, and vpc.securityGroups.admin
permissions.
vpc.bridgeAdmin
The vpc.bridgeAdmin
role allows you to use subnets and manage connectivity of multiple cloud networks. This role also allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.
- Manage connectivity of multiple cloud networks.
- View information on subnets and use them.
- Get a list of cloud networks and view information on them.
- Get a list of cloud resource addresses and view information on them.
- Get a list of route tables and view information on them.
- Get a list of security groups and view information on them.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
vpc.privateAdmin
The vpc.privateAdmin
role allows you to manage cloud networks, subnets, and route tables, as well as view information on the quotas, resources, and resource operations. This role also allows you to manage connectivity within Yandex Cloud, while it does not allow doing so from the internet.
- View information on cloud networks, as well as create, modify, and delete them.
- View information on subnets, as well as create, modify, and delete them.
- View information on route tables, as well as create, modify, and delete them.
- Link route tables to subnets.
- View information on security groups and create default security groups in cloud networks.
- Configure DHCP in subnets.
- View information on cloud resource addresses, as well as create internal IP addresses.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
vpc.publicAdmin
The vpc.publicAdmin
role allows you to manage NAT gateways, public IP addresses, and external network connectivity, as well as view information on the quotas, resources, and resource operations. This role grants administrator privileges for multi-interface instances that provide connectivity between multiple networks.
- View information on cloud networks and configure external access to them.
- Manage connectivity of multiple cloud networks.
- Manage multi-interface instances that provide connectivity between multiple networks.
- View information on subnets and modify them.
- View information on NAT gateways, as well as create, modify, and delete them.
- Connect NAT gateways to route tables.
- View information on cloud resource addresses, as well as create, update, and delete public IP addresses.
- View information on route tables, as well as link route tables to subnets.
- View information on security groups.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
You can assign a role for a cloud or folder. Important: If a network and subnet are in different folders, the vpc.publicAdmin
role is checked for the folder where the network is located.
vpc.gateways.viewer
The vpc.gateways.viewer
role allows you to view information on NAT gateways.
vpc.gateways.user
The vpc.gateways.user
role allows you to view information on NAT gateways and connect them to route tables.
vpc.gateways.editor
The vpc.gateways.editor
role allows you to create, modify, and delete NAT gateways, as well as connect them to route tables.
vpc.securityGroups.user
The vpc.securityGroups.user
role allows you to assign security groups to network interfaces and view information on the resources, quotas, and resource operations.
- Assign security groups to instance network interfaces.
- Get a list of cloud networks and view information on them.
- Get a list of subnets and view information on them.
- Get a list of cloud resource addresses and view information on them.
- Get a list of route tables and view information on them.
- Get a list of security groups and view information on them.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
vpc.securityGroups.admin
The vpc.securityGroups.admin
role allows you to manage security groups and view information on the resources, quotas, and resource operations.
- View information on security groups, as well as create, modify, and delete them.
- Create and delete default security groups in cloud networks.
- Create and delete security group rules, as well as edit their metadata.
- Get a list of cloud networks and view information on them.
- Get a list of subnets and view information on them.
- Get a list of cloud resource addresses and view information on them.
- Get a list of route tables and view information on them.
- View information on NAT gateways.
- View information on the IP addresses used in subnets.
- View information on Virtual Private Cloud quotas.
- View information on resource operations for Virtual Private Cloud.
- View information on resource operations for Compute Cloud.
- View information on the relevant cloud.
- View information on the relevant folder.
This role also includes the vpc.viewer
permissions.
For more information, see Access management in Virtual Private Cloud.
Yandex Vision OCR
ai.vision.user
The ai.vision.user
role allows you to use Yandex Vision OCR to analyze images, as well as view info on the relevant cloud, folder, and quotas.
For more information, see Access management in Vision OCR.
Yandex Wiki
wiki.viewer
The wiki.viewer
role is assigned for an organization.
It grants permission to view pages in the organization's Yandex Wiki.
wiki.admin
The wiki.admin
role is assigned for an organization.
It grants permission to edit pages, set up access rights for other users, edit the list of authors, and appoint a page's owner.
ClickHouse® is a registered trademark of ClickHouse, Inc