Assigning a role for a resource

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.

To assign a role for a resource, run the following command:

• To a user:

  yc container <resource> add-access-binding <resource_name_or_ID> \
    --role <role> \
    --user-account-id <user_ID>
  

• To a service account:

  yc container <resource> add-access-binding <resource_name_or_ID> \
    --role <role> \
    --service-account-id <service_account_ID>
  

• To all authenticated users (the All authenticated users public group):

  yc container <resource> add-access-binding <resource_name_or_ID> \
    --role <role> \
    --all-authenticated-users
  

  Where:

  • <resource>: registry or repository resource type.
  • <resource_name_or_ID>: Name or ID of the resource to assign the role for.
  • <role>: Role you want to assign.

Example

In the example below, we are assigning the container-registry.admin role for my-first-registry to a user.

yc container registry add-access-binding my-first-registry \
  --role container-registry.admin \
  --user-account-id ajeugsk5ubk6********

Result:

done (4s)

If you don't have Terraform, install it and configure the Yandex Cloud provider.

1. Describe the following in a configuration file:

   • The yandex_container_registry_iam_binding resource parameters to assign the role for the registry:

     resource "yandex_container_registry_iam_binding" "registry_name" {
       registry_id = "<registry_ID>"
       role        = "<role>"
     
       members = [
         "userAccount:<user_ID>",
       ]
     }
     

     Where:

     • registry_id: ID of the registry for which a role is being assigned. To find out the registry ID, get a list of registries in the folder.
     • role: Role you want to assign.
     • members: ID of the user, group, or service account to which you are assigning the role.

   • The yandex_container_repository_iam_binding resource parameters to assign the role for the repository:

     resource "yandex_container_repository_iam_binding" "repository_name" {
       repository_id = "<repository_ID>"
       role          = "<role>"
     
       members = [
         "serviceAccount:<service_account_ID>",
       ]
     }
     

     Where:

     • repository_id: ID of the repository for which you are assigning the role. To find out the ID of a repository, get a list of repositories in the folder.
     • role: Role you want to assign.
     • members: ID of the user, group, or service account to which you are assigning the role.

   For more information about yandex_container_repository_iam_binding, see the provider documentation.

2. 1. In the terminal, change to the folder where you edited the configuration file.

   2. Make sure the configuration file is correct using the command:

      terraform validate
      

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.
      

   3. Run the command:

      terraform plan
      

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

   4. Apply the configuration changes:

      terraform apply
      

   5. Confirm the changes: type yes in the terminal and press Enter.

You can check that the role has been assigned using the management console or this CLI command:

• Registry:

  yc container registry list-access-bindings <registry_name_or_ID>
  

• Repository:

  yc container repository list-access-bindings <repository_name_or_ID>
  

Use the updateAccessBindings REST API method for the Registry resource or the RegistryService/UpdateAccessBindings gRPC API call.

Use the updateAccessBindings REST API method for the Repository resource or the RepositoryService/UpdateAccessBindings gRPC API call.