Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Identity and Access Management
    • Overview
    • Service access to user resources
    • Identity federations
    • Workload identity federations
    • Quotas and limits
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Service status
  • Service agents
  • What services can I manage in terms of access?
  1. Concepts
  2. Service access to user resources

Service access to user resources

Written by
Yandex Cloud
Updated at May 5, 2025
  • Service status
  • Service agents
  • What services can I manage in terms of access?

Note

This feature is at the Preview stage.

Yandex Cloud comprises multiple services. Some of these services may need access to various resources in a user cloud to perform certain tasks. For example, to manage DB connections, Yandex Connection Manager requires permissions to create and manage Yandex Lockbox secrets in a user cloud.

Yandex Identity and Access Management allows you to manage service access to resources in a user cloud by enabling or disabling the relevant services.

Service control is the whole of the access permissions needed to create and operate the service's resources in the user's cloud. Such access permissions are assigned to special service accounts, service agents, which the service uses to access user resources in a cloud.

Service statusService status

Yandex Cloud services may have one of the following statuses:

  • DEFAULT: Default status.

    The service has no service agents. However, if you try to run an operation that requires access to other resources in a user cloud (e.g., create a connection in Yandex Connection Manager), the service agents will be automatically created and the service status will change to ENABLED.

  • ENABLED: Service enabled. Its service agents have been created, and the service has access to resources in a user cloud.

    When the status of a service in a cloud changes to ENABLED, its service agents are created automatically. Such service agents have the required permissions to manage user resources in that cloud.

  • DISABLED: Service disabled. It has no service agents and no access to resources in a user cloud.

    When a service in a cloud changes its status to DISABLED, its service agents are automatically deleted.

Service agentsService agents

Service agents are dedicated system service accounts which belong to specific services in a user cloud and provide such services with access to resources in that cloud. The number of service agents and the exact access permissions granted to them depend on the service they belong to.

Note

Currently, you cannot view or change the roles granted to service agents by default. You will be able to do this going forward.

Service agents are created in a dedicated system folder in a user cloud. That folder is managed by the system, and no user can access it even if they have the administrator or cloud owner role.

A service agent has permissions to manage resources only in the cloud where it was created.

The user cannot directly create, delete, or assign roles to service agents. All the required service agents with the appropriate access permissions are automatically created when you enable a service and get deleted when you disable it. When a service is re-enabled, it gets new service agents with new IDs.

If a service has resources with access to the other resources in the user cloud, you cannot disable this service. To disable such a service, first delete all the service resources that have access to the other resources in this user cloud.

If you disable a service in a user cloud, this service will still be running, but its resources will not be able to access the other resources in that cloud.

What services can I manage in terms of access?What services can I manage in terms of access?

Currently you can manage the following services in terms of access:

Service ID
Yandex Compute Cloud: Disk encryption disk-encryption
Yandex DataSphere datasphere
Yandex MetaData Hub: Connection Manager connection-manager
Yandex Security Deck: Data Security Posture Management (DSPM) dspm
Yandex WebSQL websql

Moving forward, cloud administrators will be able to manage access of all the services that require permissions for actions with resources in Yandex Cloud. With CLI, you can get an up-to-date list of services whose access you can manage.

Service access to resources can be managed by users with the admin or owner roles for the cloud.

See alsoSee also

  • Getting the status of services
  • Enabling and disabling a service

Was the article helpful?

Previous
Refresh token
Next
Identity federations
Yandex project
© 2025 Yandex.Cloud LLC