Contact UsGet started

Configuring access to a certificate

Written by
Updated at May 13, 2025

To grant a user, group, or service account access to a certificate, assign a role for it.

Assigning a role

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for assigning a role for a certificate:

    yc certificate-manager certificate add-access-binding --help

  2. Get a list of certificates in the default folder:

    yc certificate-manager certificate list

    Result:

    +----------------------+--------+-------------+---------------------+----------+---------+
|          ID          |  NAME  |   DOMAINS   |      NOT AFTER      |   TYPE   | STATUS  |
+----------------------+--------+-------------+---------------------+----------+---------+
| fpqgbg3fajpg******** | cert-1 | example.com | 2026-01-04 13:58:14 | IMPORTED | ISSUED  |
| fpqlhev2j4ad******** | cert-2 | example.com | 2026-01-04 14:07:02 | IMPORTED | ISSUED  |
+----------------------+--------+-------------+---------------------+----------+---------+

  3. View a list of roles already assigned for the resource in question:

    yc certificate-manager certificate list-access-bindings <certificate_ID>

  4. Assign the role using this command:

    • To a user:

      yc certificate-manager certificate add-access-binding <certificate_ID> \
  --user-account-id <user_ID> \
  --role <role>

      Where:

    • To a service account:

      yc certificate-manager certificate add-access-binding <certificate_ID> \
  --service-account-id <service_account_ID> \
  --role <role>

      Where:

Use the updateAccessBindings REST API method for the Certificate resource or the CertificateService/UpdateAccessBindings gRPC API call. In the request body, set the action property to ADD and specify the user type and ID under subject.

Assigning multiple roles

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

You can assign multiple roles using the set-access-bindings command.

Alert

The set-access-bindings command completely rewrites access permissions for the resource. All current roles for the resource will be deleted.

  1. View the list of roles assigned for a certificate:

    yc certificate-manager certificate list-access-bindings <certificate_ID>

    If you need to save the roles, specify them in the command for assigning roles.

  2. See the description of the CLI command for assigning roles for a certificate:

    yc certificate-manager certificate set-access-bindings --help

  3. Assign roles:

    yc certificate-manager certificate set-access-bindings <certificate_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_ID>

    Where:

    • --access-binding: Role to assign:

      • role: ID of the role to assign.
      • subject: Type and ID of the subject you are assigning the role to.

    For example, this command will assign roles to multiple users and a single service account:

    yc certificate-manager certificate set-access-bindings my-certificate \
  --access-binding role=editor,subject=userAccount:gfei8n54hmfh********
  --access-binding role=viewer,subject=userAccount:helj89sfj80a********
  --access-binding role=editor,subject=serviceAccount:ajel6l0jcb9s********

Use the setAccessBindings REST API method for the Certificate resource or the CertificateService/SetAccessBindings gRPC API call.

Revoking a role

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for revoking a role for a certificate:

    yc certificate-manager certificate remove-access-binding --help

  2. View the roles and assignees for the resource:

    yc certificate-manager certificate list-access-bindings <certificate_ID>

  3. To revoke access permissions, run this command:

    yc certificate-manager certificate remove-access-binding <certificate_ID> \
  --role <role_ID> \
  --subject <subject_type>:<subject_ID>

    Where:

    • --role: ID of the role to revoke.
    • --subject: Subject to revoke the role from.

    For example, to revoke the viewer role from a user with the ajel6l0jcb9s******** ID:

    yc certificate-manager certificate remove-access-binding my-certificate \
  --role viewer \
  --subject userAccount:ajel6l0jcb9s********

To revoke roles for a certificate, use the updateAccessBindings REST API method for the Certificate resource or the CertificateService/UpdateAccessBindings gRPC API call. In the request body, set the action property to REMOVE and specify the user type and ID under subject.

Previous
Adding alerts for certificates
Next
Viewing operations with a certificate