Access management in Message Queue
Yandex Cloud users can only perform operations on resources that are allowed by the roles assigned to them. If the user has no roles assigned, all operations are forbidden.
To allow access to Yandex Message Queue resources, assign the required roles from the list below to the Yandex account, service account, federated users, user group, or system group. Currently, a role can only be assigned to a parent resource (folder or cloud). Roles are inherited by nested resources.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Note
For more information about role inheritance, see Inheritance of access rights in the Resource Manager documentation.
Assigning roles
To manage message queues, the user must have the appropriate permissions in the cloud and folders where operations will be performed.
To grant the user permissions:
- Add the required user if needed.
- In the management console
, select the appropriate cloud in the list on the left. - Go to the Access bindings tab.
- Click Assign bindings.
- In the Configuring access bindings window, click
- Select a user from the list or search by user.
- Click
- Select a role in the cloud.
- Click Save.
Which roles exist in the service
The list below shows all roles that are considered when verifying access rights in the YMQ service.
Service roles
ymq.reader
The ymq.reader
role grants permission to read and delete messages, set message visibility timeouts, and clear a queue of messages. It allows you to get a list of queues and queue information.
ymq.writer
The ymq.writer
role grants permission to write messages to a queue and create new queues. It allows you to get a list of queues and queue information.
ymq.admin
The ymq.admin
role includes access rights of the ymq.reader
and ymq.writer
roles and allows updating queue attributes and deleting queues. It allows you to get a list of queues and queue information.
Primitive roles
auditor
Grants permission to view service configuration and metadata without access to data.
viewer
Enables you to view information about resources.
editor
Allows you to manage resources, e.g., create, edit, and delete them.
admin
Allows you to manage your resources and access to them.
For more information about primitive roles, see Roles.