Access management in Serverless Containers
Serverless Containers uses roles to manage access rights.
In this section, you will learn:
About access management
In Yandex Cloud, all transactions are checked in Yandex Identity and Access Management. If a subject does not have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the
resource-manager.clouds.owner role for a resource can assign roles for this resource.
Which resources you can assign roles to
Which roles exist in the service
The list below shows all roles that are considered when verifying access rights in the Serverless Containers service.
serverless-containers.viewer role lets you view a list of containers and their details.
serverless-containers.auditor role lets you view a list of containers and all their details, except the environment variables of a revision.
serverless-containers.containerInvoker role allows you to invoke containers.
serverless-containers.editor role allows you to create, edit, and delete containers, as well as create container revisions.
serverless-containers.admin role lets you manage container access settings.
resource-manager.auditor role is assigned for an organization, cloud, or folder.
It grants permission to view cloud or folder metadata and the list of cloud or folder roles.
resource-manager.viewer role is assigned for an organization, cloud, or folder.
It grants permission to view cloud or folder information as well as view the list of access rights granted to a cloud or a folder.
resource-manager.editor role is assigned for an organization, cloud, or folder.
It grants permission to create, edit, or delete clouds or folders.
The role includes all the permissions granted by
resource-manager.admin role is assigned for an organization, cloud, or folder. It grants the right to manage access to a cloud or folder.
The role includes all the permissions granted by
This role alone does not provide you with any permissions to perform any operations and is only used in combination with other roles.
The role is useful if the user needs access to Yandex Cloud resources not only via the CLI, API, and Terraform, but also via the management console.
resource-manager.clouds.member is one of the roles that gives users access to the management console. Any role from the list can also be used for this purpose:
For an organization or cloud:
For a cloud:
Each role from the list will give the user access to the console and permissions for cloud resources or an organization. Depending on the role, this can be either for reading information about all the resources in the cloud or creating and deleting any resource.
To avoid giving the user additional rights, use
resource-manager.clouds.member. The role will provide access to the management console while giving minimum additional rights. The user will only see general information about the cloud which they have been assigned the role to, but will not be able to view the resources and access rights to the cloud.
Let's assume the administrator needs to manage the network connectivity of resources in all organization clouds, while other team members are in charge of non-network resources. In this case, you can use the following access matrix:
Role For a resource Allows
Organization To manage networks, routes, IP addresses and other Virtual Private Cloud resources via the CLI, API, and Terraform in all clouds of the organization.
All clouds of the organization To work with Virtual Private Cloud in the management console, view general information about the clouds.
If there are multiple clouds in the organization and they are created and deleted frequently, it might not be handy to assign
resource-manager.clouds.member to a cloud every time. In this case, you can replace the
resource-manager.clouds.member role with the
resource-manager.viewer one: if you assign it once to an organization, the administrator will be able to work in the management console with Virtual Private Cloud resources of all clouds, including those you create moving forward. This role will also enable you to view information about all clouds and folders, including access rights lists.
resource-manager.clouds.owner role is assigned for a cloud and makes the user a cloud owner. The owner can perform any operation with the cloud and its resources.
Only a cloud owner can assign and revoke a user's
A cloud must have at least one owner. A user that created a cloud automatically becomes its owner. The sole owner of a cloud may not give up this role.
Grants permission to view service configuration and metadata without access to data.
Enables you to view information about resources.
Allows you to manage resources, e.g., create, edit, and delete them.
Allows you to manage your resources and access to them.
For more information about primitive roles, see Roles.