Configure your cloud
When a user registers with Yandex Cloud, a cloud is created for the user. The cloud is a separate workspace with this user as the owner. The default
folder and default
network will be created in the cloud.
The owner can create new folders and resources in this cloud, and manage access rights to them.
Create a folder
-
In the management console
, select the appropriate cloud in the list on the left. -
At the top right, click
Create folder. -
Enter the folder name. The naming requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
(Optional) Enter a description of the folder.
-
Select Create a default network. This will create a network with subnets in each availability zone. Within this network, a default security group will be created, inside which all network traffic is allowed.
-
Click Create.
-
View the description of the create folder command:
yc resource-manager folder create --help
-
Create a new folder:
-
with a name and without a description:
yc resource-manager folder create \ --name new-folder
The folder naming requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
-
with a name and description:
yc resource-manager folder create \ --name new-folder \ --description "my first folder with description"
-
Update a folder
The management console only allows you to change the name of a folder. To change its description, use the CLI or API.
- On the home page
of the management console, select the folder. This page displays folders for the selected cloud. If necessary, switch to another cloud. - Click
next to the folder and select Edit. - Enter a new name for the folder.
- Click Save.
-
View the description of the update folder command:
yc resource-manager folder update --help
-
If you know the folder ID or name, proceed to the next step. Otherwise, use one of these methods to get them:
-
Get a list of folders:
$ yc resource-manager folder list +----------------------+--------------------+--------+--------+-------------+ | ID | NAME | LABELS | STATUS | DESCRIPTION | +----------------------+--------------------+--------+--------+-------------+ | b1gppulhhm2aaufq9eug | yet-another-folder | | ACTIVE | | | b1gvmob95yysaplct532 | default | | ACTIVE | | +----------------------+--------------------+--------+--------+-------------+
-
If you know the ID of the resource that belongs to the required folder, you can get the folder ID from the information about that resource:
yc <SERVICE-NAME> <RESOURCE> get <RESOURCE-ID>
Where:
<SERVICE-NAME>
: Name of the service, such ascompute
.<RESOURCE>
: Resource category, e.g.,instance
.<RESOURCE-ID>
: Resource ID.
For example, the
fhmp74bfis2aim728p2a
VM belongs to theb1gpvjd9ir42nsng55ck
folder:yc compute instance get fhmp74bfis2ais728p2a id: fhmp74bfis2ais728p2a folder_id: b1gpvjd9ia42nsng55ck ...
-
-
Change the folder parameters, e.g., name and description. You can specify the folder to update by its name or ID.
yc resource-manager folder update default \ --new-name myfolder \ --description "this is my default-folder"
The command will rename the
default
folder tomyfolder
and update its description.The folder naming requirements are as follows:
- The name must be from 3 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- The first character must be a letter and the last character cannot be a hyphen.
Assign folder roles
-
Open the Users and roles
page for the selected cloud. If necessary, switch to another cloud. -
- On the left-hand panel, select a cloud.
- Click the Access bindings tab.
- Find the required user in the list. Assigned roles are specified in the Roles column.
- Select a folder in the Roles in folders section and click
. - Select a role from the list.
-
View the description of the command to assign a role for a folder:
yc resource-manager folder add-access-binding --help
-
Select a folder, e.g.,
my-folder
:yc resource-manager folder list +----------------------+-----------+--------+--------+ | ID | NAME | LABELS | STATUS | +----------------------+-----------+--------+--------+ | b1gd129pp9ha0vnvf5g7 | my-folder | | ACTIVE | +----------------------+-----------+--------+--------+
-
Choose the role.
yc iam role list +--------------------------------+-------------+ | ID | DESCRIPTION | +--------------------------------+-------------+ | admin | | | compute.images.user | | | editor | | | ... | | +--------------------------------+-------------+
-
Find out the user ID from the login or email address. To assign a role to a service account or a user group rather than to a single user, see the examples below.
yc iam user-account get test-user id: gfei8n54hmfhuk5nogse yandex_passport_user_account: login: test-user default_email: test-user@yandex.ru
-
Assign the
editor
role for themy-folder
folder to a user namedtest-user
. In the subject, specify theuserAccount
type and user ID:yc resource-manager folder add-access-binding my-folder \ --role editor \ --subject userAccount:gfei8n54hmfhuk5nogse
Use the updateAccessBindings method for the Folder resource. You will need the folder ID and the ID of the user to whom you want to assign the role for the folder.
-
Find out the folder ID using the list:
$ curl -H "Authorization: Bearer <IAM_TOKEN>" \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders?cloudId=b1gg8sgd16g7qca5onqs { "folders": [ { "id": "b1g66mft1vopnevbn57j", "cloudId": "b1gd129pp9ha0vnvf5g7", "createdAt": "2018-10-17T12:44:31Z", "name": "my-folder", "status": "ACTIVE" } ] }
-
Find out the user ID from the login using the getByLogin method:
curl -H "Authorization: Bearer <IAM_TOKEN>" \ https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user { "id": "gfei8n54hmfhuk5nogse", "yandexPassportUserAccount": { "login": "test-user", "defaultEmail": "test-user@yandex.ru" } }
-
Assign the
editor
role for themy-folder
folder to the user. Set theaction
property toADD
and specify theuserAccount
type and user ID in thesubject
property:curl -X POST \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer <IAM_TOKEN>" \ -d '{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "gfei8n54hmfhuk5nogse", "type": "userAccount" }}}]}' \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha0vnvf5g7:updateAccessBindings
Assign multiple roles
Follow the guide at the beginning of the section and assign the user multiple roles.
To assign a role to another user, select the user on the Users and roles
The add-access-binding
command allows you to add only one role. You can assign multiple roles using the set-access-binding
command.
Alert
The set-access-binding
command completely rewrites access permissions to the resource. All current resource roles will be deleted.
-
Make sure the resource has no roles assigned that you would rather not lose:
yc resource-manager folder list-access-binding my-folder
-
For example, assign a role to multiple users:
yc resource-manager folder set-access-bindings my-folder \ --access-binding role=editor,subject=userAccount:gfei8n54hmfhuk5nogse --access-binding role=viewer,subject=userAccount:helj89sfj80aj24nugsz
Assign the editor
role to one user and the viewer
role to another user:
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM_TOKEN>" \
-d '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "editor",
"subject": {
"id": "gfei8n54hmfhuk5nogse",
"type": "userAccount"
}
}
},{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "helj89sfj80aj24nugsz",
"type": "userAccount"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha0vnvf5g7:updateAccessBindings
You can also assign roles using the setAccessBindings.
Alert
The setAccessBindings
method completely rewrites access permissions to the resource. All current resource roles will be deleted.
curl -X POST \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer <IAM_TOKEN>" \
-d '{
"accessBindings": [{
"roleId": "editor",
"subject": { "id": "ajei8n54hmfhuk5nog0g", "type": "userAccount" }
},{
"roleId": "viewer",
"subject": { "id": "helj89sfj80aj24nugsz", "type": "userAccount" }
}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha0vnvf5g7:setAccessBindings
Grant folder access for a service account
In the management console, you can only assign a role for the folder where the service account was created. To assign it a role for another resource, use the CLI or API.
Allow the service account to manage the folder and its resources:
- In the management console
, select the appropriate folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, click
Select subject → Service accounts. - Select the required service account from the list or use the search.
- Click
Add role. - Select a role in the folder.
- Click Save.
-
Select a role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Find out the service account ID by its name:
yc iam service-account get my-robot
Result:
id: aje6o61dvog2******** folder_id: b1gvmob95yys******** created_at: "2018-10-15T18:01:25Z" name: my-robot
If you don't know the name of the service account, get a list of service accounts with their IDs:
yc iam service-account list
Result:
+----------------------+------------------+-----------------+ | ID | NAME | DESCRIPTION | +----------------------+------------------+-----------------+ | aje6o61dvog2******** | my-robot | my description | +----------------------+------------------+-----------------+
-
Assign the
viewer
role to themy-robot
service account using its ID:yc resource-manager folder add-access-binding my-folder \ --role viewer \ --subject serviceAccount:aje6o61dvog2********
To assign the service account a role for a cloud or folder, use the updateAccessBindings
REST API method for the Cloud or Folder resource:
-
Select a role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Get the ID of the service accounts folder.
-
Get an IAM token required for authorization in the Yandex Cloud API.
-
Get a list of folder service accounts to find out their IDs:
export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl -H "Authorization: Bearer ${IAM_TOKEN}" \ "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2d********", "folderId": "b1gvmob95yys********", "createdAt": "2018-10-18T13:42:40Z", "name": "my-robot", "description": "my description" } ] }
-
Create the request body, for example, in the
body.json
file. Set theaction
property toADD
and theroleId
property to the appropriate role, such aseditor
, and specify theserviceAccount
type and service account ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "ajebqtreob2d********", "type": "serviceAccount" } } }] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
Allow access to resources for all users
You can grant public access to a resource. To do this, assign a role to the system group allAuthenticatedUsers
or allUsers
.
You can assign any role to the system group, except resource-manager.clouds.owner
and resource-manager.clouds.member
.
Alert
Do not assign a system group the editor
or admin
role for a catalog or cloud. Otherwise, anyone who knows the folder ID can use Yandex Cloud at your expense.
For example, allow any authenticated user to view folder information:
- In the management console
, go to the appropriate folder. - Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select Public.
- Select the
All authenticated users
group. - Click
Add role. - Select the
resource-manager.viewer
role. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
Assign the viewer
for the my-folder
folder. Set the subject type to system
and its ID to allAuthenticatedUsers
:
yc resource-manager folder add-access-binding my-folder \
--role viewer \
--subject system:allAuthenticatedUsers
If you don't have Terraform, install it and configure the Yandex Cloud provider.
Alert
Do not create the resource together with the yandex_resourcemanager_folder_iam_policy
resource. They will conflict with each other.
To assign a role to a folder created using Terraform:
-
Describe the parameters of the folder role in a configuration file:
-
folder_id
: ID of the folder to grant permissions for. This is a required parameter. -
role
: Role being assigned. This is a required parameter.Note
For each role, you can only use one
yandex_resourcemanager_folder_iam_member
resource. -
member
: User to assign the role to. To add all users, create an entry in the formatsystem:<allUsers|allAuthenticatedUsers>
, where<allUsers|allAuthenticatedUsers>
is one of system groups. This is a required parameter.
Here is an example of the configuration file structure:
... data "yandex_resourcemanager_folder" "project1" { folder_id = "<folder_ID>" } resource "yandex_resourcemanager_folder_iam_member" "viewer" { folder_id = "${data.yandex_resourcemanager_folder_iam_member.project1.id}" role = "viewer" member = "system:allUsers" } ...
For more information about the
yandex_resourcemanager_folder_iam_member
resource parameters in Terraform, see the provider documentation . -
-
Check the configuration using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
into the terminal and press Enter.You can check the folder update using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-
Create a request body, for example, in the
body.json
file. InroleId
, assign theviewer
role. In thesubject
property, specify thesystem
type and theallAuthenticatedUsers
ID:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "viewer", "subject": { "id": "allAuthenticatedUsers", "type": "system" } } }] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"