Access management in Virtual Private Cloud
In this section, you'll learn:
- What resources you can assign roles to.
- What roles exist in the service.
- What roles are required for particular actions.
About access management
All transactions in Yandex Cloud are checked by the Identity and Access Management service. If a subject doesn't have the required permission, the service returns an error.
To grant permission to a resource, assign roles for this resource to the subject that will perform operations. Roles can be assigned to a Yandex account, service account or system group. For more information, see How access management works in Yandex Cloud.
Only users with the admin or resource-manager.clouds.owner role for a resource can assign roles for this resource.
What resources you can assign roles to
As with other services, you can assign roles for clouds, folder and service accounts. The roles assigned for clouds and folders also apply to nested resources.
What roles exist in the service
The diagram shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all viewer role permissions. A description of each role is given under the diagram.
Active roles in the service:
- Service roles:
-
resource-manager.clouds.owner: Grants you full access to the cloud and the resources in it. You can only assign this role for a cloud. -
resource-manager.clouds.memberis required for everyone except the cloud owners and service accounts to access resources in a cloud not owned by the organization. -
vpc.viewer: Lets you view resource model objects. -
vpc.user: Lets you connect to network resources and use them. -
vpc.privateAdmin: Lets you manage connectivity within Yandex Cloud, but not from the internet. -
vpc.publicAdmin: Lets you manage external connectivity. Important: if a network and subnet are in different folders, thevpc.publicAdminrole is checked for the folder where the network is located. -
vpc.securityGroups.admin: Lets you manage security groups. -
vpc.adminis a network administrator role that combinesvpc.privateAdmin,vpc.publicAdmin, andvpc.securityGroups.admin.
-
- Primitive roles:
What roles do I need
The table below lists the roles needed to perform a given action. You can always assign a role granting more permissions than the role specified. For example, assign editor instead of viewer or vpc.admin instead of vpc.publicAdmin.
| Action | Methods | Required roles |
|---|---|---|
| View data | ||
| View information about any resource | get, list, listOperations |
vpc.viewer or viewer for this resource |
| List subnets in the network | listSubnets |
vpc.viewer or viewer for the network |
| Use of resources | ||
| Assign VPC resources to other Yandex Cloud resources (for example, assigning an address to an interface or connecting a network interface to a subnet) | Various | vpc.user for the resource and the right to change the receiving object if the resource assignment operation is mutating |
| Assign or delete the public address of an interface | various | vpc.publicAdmin for the network |
| Creating a VM connected to multiple networks | create |
vpc.publicAdmin for each network the VM is connecting to |
| Manage resources | ||
| Create networks in a folder | create |
vpc.privateAdmin or editor for the folder |
| Update, and delete networks | update, delete |
vpc.privateAdmin or editor for the network |
| Create subnets in a folder | create |
vpc.privateAdmin or editor for the folder and network |
| Update and delete subnets | update, delete |
vpc.privateAdmin or editor for the folder |
| Create a route table | create |
vpc.privateAdmin or editor for the folder |
| Update or delete a route table | update, delete |
vpc.privateAdmin or editor for the route table |
| Create public addresses | create |
vpc.publicAdmin or editor for the folder |
| Delete public addresses | delete |
vpc.publicAdmin or editor for the address |
| Enable NAT to the internet | vpc.publicAdmin or editor for the subnet |
|
| Create security groups | create |
vpc.securityGroups.admin or editor for the folder and network |
| Update and delete security groups | update, delete |
vpc.securityGroups.admin or editor for the network and security group |
| Manage resource access | ||
| Assign, revoke, and view roles granted for the resource | setAccessBindings, updateAccessBindings, listAccessBindings |
admin for the resource |