Access management in SpeechKit
In this section, you will learn:
About access management
In Yandex Cloud, all transactions are checked in Yandex Identity and Access Management. If a subject does not have the required permission, the service returns an error.
To grant permission for a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group. For more information, see How access management works in Yandex Cloud.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Which resources you can assign a role for
Like other services, roles can be assigned for a cloud or folder. The roles assigned for clouds and folders also apply to nested resources.
Which roles exist in the service
Service roles
ai.speechkit-stt.user
The ai.speechkit-stt.user
role enables you to use SpeechKit to recognize speech.
ai.speechkit-tts.user
The ai.speechkit-tts.user
role enables you to use SpeechKit to synthesize speech.
ai.auditor
The ai.auditor
role enables you to view quotas for Translate, Vision, SpeechKit, and YandexGPT, as well as folder metadata.
ai.viewer
The ai.viewer
role enables you to view quotas for Translate, Vision, SpeechKit, and YandexGPT, as well as folder metadata. It includes all permissions of the ai.auditor
role.
ai.editor
The ai.editor
role allows you to use Translate, Vision, SpeechKit, and YandexGPT. It includes all permissions of the ai.viewer
, ai.speechkit-stt.user
, ai.speechkit-tts.user
, ai.vision.user
, ai.translate.user
, and ai.languageModels.user
roles.
ai.admin
The ai.admin
role allows you to use Translate, Vision, SpeechKit, and YandexGPT. It includes all permissions of the ai.editor
role.
For more information about service roles, see Roles in the Yandex Identity and Access Management service documentation.
Roles of other services
When working with SpeechKit, you may need roles of other services, for example, to upload results and source materials to an Object Storage bucket.
resource-manager.clouds.owner
The resource-manager.clouds.owner
role grants full access to the cloud and its resources. The role can only be assigned for a cloud.
storage.uploader
The storage.uploader
role enables you to upload objects to a bucket and overwrite previously uploaded ones. Since the storage.uploader
role inherits the permissions of the storage.viewer
role, it also grants permission to list bucket objects and download them.
This role does not allow you to delete objects or configure buckets.
kms.keys.encrypterDecrypter
The kms.keys.encrypterDecrypter
role enables you to encrypt and decrypt data and view information about keys. Includes all access rights of the kms.keys.encrypter
and kms.keys.decrypter
roles.
Primitive roles
auditor
Grants permission to view service configuration and metadata without access to data.
viewer
Enables you to view information about resources.
editor
Allows you to manage resources, e.g., create, edit, and delete them.
admin
Allows you to manage your resources and access to them.
For more information about primitive roles, see Roles.