Access management in Yandex Cloud Billing
Billing account access
Billing account access is provided through the Yandex Cloud Billing service. A billing account can be created by users with a registered Yandex or Yandex 360 account:
- If you have not created an account for yourself or an employee yet, create one in Yandex
or Yandex 360 . - If you use a social network profile to log in to Yandex, create a username and password
.
The operations a user can perform on a billing account are determined by the role assigned to them. Roles can be assigned to a Yandex account, a service account, federated users, a user group, or a system group.
Note
Access can only be granted to a user whose billing account has a cloud linked in Identity and Access Management.
Which roles exist in the service
Service roles
billing.accounts.owner
The billing.accounts.owner
role is granted automatically when you create a billing account. The role granted when creating an account cannot be revoked, but it can be assigned to other users and revoked from them.
billing.accounts.viewer
The billing.accounts.viewer
role is assigned for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, and export reconciliation reports and reporting documents.
billing.accounts.accountant
The billing.accounts.accountant
role is assigned for a billing account. This role enables you to view billing account data, get information about resource consumption, monitor expenses, export reconciliation reports and reporting documents, create new reconciliation reports, and top up your personal account using a bank account.
billing.accounts.editor
The billing.accounts.editor
role is assigned for a billing account. It grants permission to get payment invoices, activate promo codes, link clouds and services to the billing account, export details, create budgets, generate reconciliation reports, and reserve resources. This role includes the billing.accounts.viewer role
.
billing.accounts.admin
The billing.accounts.admin
role is assigned for a billing account. It allows to manage access permissions for the billing account (except for the billing.accounts.owner
role). It includes the billing.accounts.editor
role.
billing.accounts.varWithoutDiscounts
The billing.accounts.varWithoutDiscounts
role is assigned for a billing account. This role grants partner accounts all administrator privileges, except the permission to get information about discounts. This role includes the billing.partners.editor role
.
billing.partners.editor
The billing.partners.editor
role is assigned for a billing account. It grants permission to edit information about a partner and their products in the partner product catalog.
Primitive roles
Primitive roles are aggregator roles that define user permissions to access services. In Yandex Cloud Billing, these roles match the following billing.accounts.*
roles:
auditor
: Same asbilling.accounts.viewer
with some limitations.viewer
: Same asbilling.accounts.viewer
.editor
: Same asbilling.accounts.editor
.admin
: Same asbilling.accounts.admin
.
Primitive roles can only be assigned to users in the Users list.
Available operations
The table below provides a list of operations available to each role type.
Operations | owner |
viewer |
accountant |
editor |
admin |
---|---|---|---|---|---|
Displaying a billing account in the list of all user accounts | |||||
Viewing billing account information | |||||
Viewing and receiving usage notifications | |||||
Viewing and downloading reporting (closing) documents | |||||
Viewing and downloading generated reconciliation reports | |||||
Checking expenses | |||||
Accessing usage details | |||||
Topping up your personal account using a bank account | |||||
Generating a new reconciliation report | |||||
Activating promo codes | |||||
Linking clouds to billing accounts | |||||
Creating details export | |||||
Creating budget | |||||
Resource allocation | |||||
Assigning roles to billing accounts | |||||
Viewing and editing roles | |||||
Renaming a billing account | |||||
Changing payer contact information | |||||
Changing billing details | |||||
Changing bank cards | |||||
Changing payment methods | |||||
Activating trial period | |||||
Activating paid version | |||||
Topping up your personal account using a bank card |
Adding a user
The steps for adding a new billing account user depend on whether this billing account is added to your organization.
Assign the required role for the billing account to a user or service account in your organization.
Note
To add a new billing account user, you need to have the billing.accounts.owner
or billing.accounts.admin
role.
-
Go to Yandex Cloud Billing
. - Select a billing account.
- Go to the Access management page.
- At the top right, click Add user.
- Select a user from the drop-down list. The list shows users whose clouds are linked to your billing account.
- Click Add.
The user or service account is assigned the billing.accounts.member
role and added to the Users list. To grant billing account access, assign them the required role.
Assigning roles
The steps for assigning a billing account role depend on whether this billing account is added to your organization.
Users with the billing.accounts.admin
role can grant access to the billing account to any user or service account within the same organization. To do this:
-
Make sure that the user you need belongs to your organization. If not, add them.
-
Go to Yandex Cloud Billing
. -
Select a billing account.
-
Go to the Access management page.
-
At the top right, click Assign bindings. In the window that opens:
- Click Select subject.
- Select a user or service account from the list or use the search bar.
- Click Add role and select the required role.
- Click Save.
Note
If you assign the Yandex Cloud Billing service role to an organization, all billing accounts within this organization will also assume this role.
Users with the billing.accounts.admin
role can grant access to the billing account to any user or service account on the Users list. To do this:
-
Go to Yandex Cloud Billing
. - Select a billing account.
- Go to the Access management page.
- Find the user or service account in the list.
- In the line with the user or service account you need, click
and select Configure roles. - Click Assign role.
- Select a role from the list.
The role will be assigned without expiration.
Revoking roles
The steps for revoking a billing account role depend on whether this billing account is added to your organization.
A user with the billing.accounts.admin
role can revoke a billing account role from users or service accounts in their organization at any time. To do this:
-
Go to Yandex Cloud Billing
. - Select a billing account.
- Go to the Access management page.
- Select a user or service account from the list or use filtering by users.
- In the line with the user or service account you need, click
and select Edit roles. - Click
next to the role to be invoked. - Click Save. The role will be revoked.
A user with the billing.accounts.admin
role can revoke a billing account role from users or service accounts on the list at any time. To do this:
-
Go to Yandex Cloud Billing
. - Select a billing account.
- Go to the Access management page.
- Find the user or service account in the list.
- In the line with the user or service account you need, click
and select Configure roles. - Click
next to the role to be invoked. The role will be revoked.
Note
If the billing.accounts.member
role is revoked from a user, they will not be able to access the billing account.
Deleting users
You can only delete users from those billing accounts that are not added to an organization. To do this:
-
Go to Yandex Cloud Billing
. - Select a billing account.
- Find the user or service account in the list.
- In the line with the user or service account you need, click
and select Remove user. - This deletes the user from the list of the billing account users.
If the billing account is added to an organization, you can simply revoke the required role from a user or service account. You can remove a user from the organization to prevent them from accessing any of its clouds or resources.