Contact UsGet started

Viewing assigned roles

Written by
Updated at November 14, 2024

To view the permissions granted to an account for a resource, retrieve the list of roles assigned for the resource and its parent resources. Assigned roles will be inherited by child resources from their parent resources. For example, if you want to find out what permissions an account has for the folder, look at the roles:

  1. For that folder.
  2. For the cloud that the folder belongs to.
  3. For the organization that the cloud belongs to.

You can view a list of inherited roles for the folder or the cloud in the management console, in the Access bindings section of the folder or cloud.

Learn which resources you can assign a role for.

To view assigned roles:

To view the roles of a user with a Yandex account, federated user, or service account for a cloud:

  1. On the left-hand panel, select a cloud.
  2. Click the Access bindings tab.
  3. Find the required user in the list. Assigned roles are specified in the Roles column.

To view the roles of a service account for a folder and its child resources:

  1. In the management console, navigate to the folder the service account belongs to.
  2. In the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Service accounts.
  4. The service account roles are listed in the Roles in folder field.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

  1. Get your account ID:

    1. Guide for service accounts.
    2. Guide for users with a Yandex account and federated users.

  2. Get the resource ID or name.

  3. View the roles assigned for a resource:

    yc <service_name> <resource_category> list-access-bindings <resource_name_or_ID>

    Where:

    • <service_name>: Name of the service the resource belongs to, e.g., resource-manager.
    • <resource_category>: Resource category, e.g., folder.
    • <resource_name_or_ID>: Resource name or ID. You can specify a resource by its name or ID.

    For example, you can view the roles and the assignees for the default folder:

    yc resource-manager folder list-access-bindings default

    Result:

    +---------------------+----------------+----------------------+
|       ROLE ID       |  SUBJECT TYPE  |      SUBJECT ID      |
+---------------------+----------------+----------------------+
| editor              | serviceAccount | ajepg0mjas06******** |
| viewer              | userAccount    | aje6o61dvog2******** |
+---------------------+----------------+----------------------+

    In the server response, find all the rows where the subject contains the account ID and the All users and All authenticated users public groups are specified as the subject.

  4. Repeat the previous two steps for all the parent resources.

  1. Get your account ID:

    1. Guide for service accounts.
    2. Guide for users with a Yandex account and federated users.

  2. Get the resource ID or name.

  3. View the roles and assignees for the resource using the listAccessBindings REST API method. For example, to view the roles for the b1gvmob95yys******** folder:

    export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaATEVAgA...
curl \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"

    Result:

    {
  "accessBindings": [
  {
    "subject": {
      "id": "ajei8n54hmfh********",
      "type": "userAccount"
    },
    "roleId": "editor"
  }
  ]
}

    In the server response, find all the rows where the subject contains the account ID and the All users and All authenticated users public groups are specified as the subject.

  4. Repeat the previous two steps for all the parent resources.

See also

Previous
Assigning roles
Next
Revoking a role