Access management in Serverless Containers

Serverless Containers uses roles to manage access rights.

In this section, you will learn:

• Which resources you can assign roles to.
• Which roles exist in the service.

About access management

All transactions in Yandex Cloud are checked by the Yandex Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.

To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.

Only users with the admin or resource-manager.clouds.owner role for a resource can assign roles for this resource.

What resources you can assign roles to

Roles can be assigned for a cloud, folder, and container.

What roles exist in the service

The list below shows all roles that are considered when verifying access rights in the Serverless Containers service.

serverless-containers.viewer

The serverless-containers.viewer role lets you view a list of containers and their details.

serverless-containers.auditor

The serverless-containers.auditor role lets you view a list of containers and all their details, except the environment variables of a revision.

serverless-containers.containerInvoker

The serverless-containers.containerInvoker role allows you to invoke containers.

serverless-containers.editor

The serverless-containers.editor role lets you create, edit, and delete containers, as well as create container revisions.

serverless-containers.admin

The serverless-containers.admin role lets you manage container access settings.

resource-manager.clouds.member

This role alone doesn't give you the right to perform any operations and is only used in combination with other roles.

How the role can be combined with other roles depends on whether a cloud belongs to an organization or not.

For a cloud in an organization

The role is useful if the user needs access to Yandex Cloud resources not only via the CLI, API, and Terraform, but also via the management console.

resource-manager.clouds.member is one of the roles that gives users access to the management console. Any role from the list can also be used for this purpose:

• For an organization or cloud:

  • resource-manager.admin.
  • resource-manager.editor.
  • resource-manager.viewer.
  • admin.
  • editor.
  • viewer.

• For a cloud:

  • resource-manager.clouds.owner

Each role from the list will give the user access to the console and permissions for cloud resources or an organization. Depending on the role, this can be either for reading information about all the resources in the cloud or creating and deleting any resource.

To avoid giving the user additional rights, use resource-manager.clouds.member. The role will provide access to the management console while giving minimum additional rights. The user will only see general information about the cloud which they have been assigned the role to, but will not be able to view the resources and access rights to the cloud.

Example:

The administrator must manage the network connectivity of resources in all clouds of the organization. Other team members are responsible for non-network resources. In this case, the following access matrix can be used:

Role	For a resource	Allows
vpc.admin	Organization	To manage networks, routes, IP addresses and other Virtual Private Cloud resources via the CLI, API, and Terraform in all clouds of the organization
resource-manager.clouds.member	All clouds of the organization	To work with Virtual Private Cloud in the management console, view general information about the clouds

For a cloud without an organization

A role everyone requires to access cloud resources, except for cloud owners and service accounts.

Without this role, no other roles will work for the user.

The role is assigned automatically when you add a new user to a cloud without an organization.

resource-manager.clouds.owner

The resource-manager.clouds.owner role is assigned for a cloud and makes the user a cloud owner. The owner can perform any operation with the cloud and its resources.

Only a cloud owner can assign and revoke a user's resource-manager.clouds.owner role.

A cloud must have at least one owner. A user that created a cloud automatically becomes its owner. The sole owner of a cloud may not give up this role.

resource-manager.admin

The resource-manager.admin role is assigned for an organization, cloud, or folder. It grants the right to manage access to a cloud or folder.

The role includes all the permissions granted by resource-manager.viewer and resource-manager.editor.

resource-manager.editor

The resource-manager.editor role is assigned for an organization, cloud, or folder.
It grants permission to create, edit, or delete clouds or folders.

The role includes all the permissions granted by resource-manager.viewer.

resource-manager.viewer

The resource-manager.viewer role is assigned for an organization, cloud, or folder.
It grants permission to view cloud or folder information as well as view the list of access rights granted to a cloud or a folder.

resource-manager.auditor

The resource-manager.auditor role is assigned for an organization, cloud, or folder.
It grants permission to view cloud or folder metadata and the list of cloud or folder roles.

viewer

Users with the viewer role can view information about resources, for example, a list of containers or their revisions.

editor

Users with the editor role can manage containers, for example, create a container or invoke it.

The editor role includes all permissions of the viewer role.

admin

Users with the admin role can manage resource access rights, such as permitting other users to invoke a container.

The admin role includes all permissions of the editor role.