Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Identity and Access Management
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Do not grant unnecessary access rights
  • Protect your Yandex account
  • Use service accounts

Secure use of Yandex Cloud

Written by
Yandex Cloud
Updated at January 28, 2025
  • Do not grant unnecessary access rights
  • Protect your Yandex account
  • Use service accounts

This section provides recommendations on how to make the best use of IAM for secure work with Yandex Cloud services.

Do not grant unnecessary access rightsDo not grant unnecessary access rights

For critical resources:

  • Assign the minimum required roles. For example, to allow creating VMs from images in Compute Cloud, assign the compute.images.user role rather than editor or higher.

  • Try assigning service roles rather than primitive ones (viewer, editor, or admin). Primitive roles apply to resources in any service Yandex Cloud.

    Use primitive roles if there is no suitable service role or you want to confer broad authority on a user.

  • Assign only roles you need right now. Do not assign roles you may only need in the future.

  • Note that when you assign a role for a folder, cloud, or organization, all the nested resources will inherit this role's permissions.

  • Assign the administrator or cloud owner roles only to people responsible for managing the access to resources in your project.

    An administrator can take away another administrator's access permissions, and an owner can revoke a role from another owner. These roles also include all the editor permissions, thus allowing to create, edit, and delete resources.

Protect your Yandex accountProtect your Yandex account

  • To better safeguard your resources from unauthorized access, enable Yandex ID two-factor authentication. Also, request users you add to your organization to enable it.

  • Keep your OAuth token a secret, since it can be used to get an IAM token and perform operations in the cloud on behalf of you.

    If someone might have discovered your OAuth token, invalidate it and issue a new one.

  • Avoid using your OAuth token for authentication if you can use an IAM token. OAuth tokens are valid for 1 year while IAM tokens are valid for 12 hours. If your token is compromised, the hacker has limited time to use it.

Use service accountsUse service accounts

Automate your Yandex Cloud operations using service accounts and follow these recommendations:

  • Control access to your service accounts. The editor role for a service account allows the user to perform operations that service account is authorized to perform. If the service account is the cloud administrator, the user can use it to make themselves an administrator.

  • Create separate service accounts for different tasks. This will allow you to give them only the roles they really need. You can revoke roles from a service account or delete it without affecting other service accounts.

  • Name your service accounts according to their intended purposes and permissions.

  • Keep your service account keys secret: they can be used to perform operations under your service account. Do not keep your service account keys in the source code.

    Revoke old keys and issue new ones every now and then. Be sure to do this if you think someone has learned your secret key.

  • Do not use your keys for authentication if you can use IAM tokens. Keys have an unlimited lifetime, while IAM tokens are valid for 12 hours.

  • If you perform operations from inside a VM, link a service account to it. Thus you will no longer need to store your service account keys on the VM for authentication: your IAM token will be available by a metadata service link.

Was the article helpful?

Previous
Quotas and limits
Next
Access management
Yandex project
© 2025 Yandex.Cloud LLC