Access management in Identity and Access Management
In this section, you will learn:
- Which resources you can assign a role for.
- Which roles exist in the service.
- Which roles are required for particular actions.
About access management
In Yandex Cloud, all transactions are checked in Yandex Identity and Access Management. If a subject does not have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the
organization-manager.organizations.owner role for a resource can assign roles for this resource.
Which resources can be assigned a role
Which roles exist in the service
The chart below shows which roles are available in the service and how they inherit each other's permissions. For example, the
editor role includes all the permissions of
viewer. You can find the description of each role under the chart.
iam.serviceAccounts.user role means that the user has the right to use service accounts.
This role is required when the user requests the service to perform operations on behalf of a service account.
For example, when creating an instance group, you specify the service account and the IAM checks whether you have permission to use it.
The following permissions are included in the
- Get a list of service accounts.
- Get information about a service account.
- Use the service account to perform operations on its behalf.
These permissions are also part of the
iam.serviceAccounts.admin role allows you to manage service accounts and permissions to access them. The role includes the following permissions:
- Changing the description and other mutable attributes of a service account.
- Creating all types of keys for a service account.
- Getting IAM tokens for a service account.
- Setting up access rights for a service account.
For some services, you need a service account to perform operations, such as in Instance Groups or Managed Service for Kubernetes. If you specified a service account in the request, IAM will check whether you have permissions to use this account.
iam.serviceAccounts.keyAdmin role allows you to create, update, and delete:
The role is assigned for a service account.
Users with the
iam.serviceAccounts.tokenCreator role can get tokens for their service accounts.
The user can then log in to their service account and perform actions with the token allowed for this service account.
The user cannot edit permissions or delete the service account.
iam.auditor role includes permissions to retrieve metadata about objects, operations, and resources:
- Operations and lists of operations.
- Lists of available roles.
- Service accounts.
- Service account permissions.
- Keys for JWT authorization, authorized keys, and SSH keys.
- API keys and lists of API keys for service accounts.
- Static keys and lists of static keys for service accounts.
iam.viewer role includes all the permissions of the
iam.auditor role, as well as the permission to view a list of cloud users.
iam.editor role includes all the permissions of the
iam.viewer role, as well as the following permissions to manage service accounts and folders:
- Creating, updating, and deleting keys for JWT authorization, as well as authorized keys.
- Creating, updating, and deleting static access keys.
- Creating and deleting SSH keys.
iam.admin role includes all the permissions of the
iam.serviceAccounts.admin roles, as well as permissions to manage identity federations.
Grants permission to view service configuration and metadata without access to data.
Enables you to view information about resources.
Allows you to manage resources, e.g., create, edit, and delete them.
Allows you to manage your resources and access to them.
For more information about primitive roles, see Roles.
What roles do I need
The table below lists the roles needed to perform a particular action. You can always assign a role granting more permissions than the role specified. For example, you can assign the
editor role instead of the
|Get an IAM token
|no roles needed, only authentication
|View user data
|no roles needed, only authentication
|View service account data
viewer for the service account
|View information about a folder or cloud
iam.auditor for the folder or cloud
|View information about any resource
viewer for this resource
|Create service accounts in the folder
iam.serviceAccounts.keyAdmin for the folder
|Update and delete service accounts
editor for the service account
|Create and delete keys for a service account
for the service account
|Managing resource access
|Add a new user to the cloud
admin for the cloud
|Make a new user the owner of the cloud
resource-manager.clouds.owner for the cloud
|Grant a role, revoke a role, and view roles granted for the resource
admin for the resource
|Getting an IAM token for a service account
iam.serviceAccounts.tokenCreator for the service account