Viewing assigned roles
To view the permissions granted to an account for a resource, retrieve the list of roles assigned for the resource and its parent resources. Assigned roles will be inherited by child resources from their parent resources. For example, if you want to find out what permissions an account has for the folder, look at the roles:
- For that folder.
- For the cloud that the folder belongs to.
- For the organization that the cloud belongs to.
You can view a list of inherited roles for the folder or the cloud in the management console, in the Access bindings section of the folder or cloud.
Learn which resources you can assign a role for.
To view assigned roles:
To view the roles of a user with a Yandex account, federated user, or service account for a cloud:
- On the left-hand panel, select a cloud.
- Click the Access bindings tab.
- Find the required user in the list. Assigned roles are specified in the Roles column.
To view the roles of a service account for a folder and its child resources:
- In the management console
, navigate to the folder the service account belongs to. - At the top of the screen, go to the Service accounts tab.
- The service account's roles are listed in the Roles in folder column.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Get your account ID:
-
Get the resource ID or name.
-
View the roles assigned for a resource:
yc <service_name> <resource_category> list-access-bindings <resource_name_or_ID>
Where:
<service_name>
: Name of the service the resource belongs to, e.g.,resource-manager
.<resource_category>
: Resource category, e.g.,folder
.<resource_name_or_ID>
: Resource name or ID. You can specify a resource by its name or ID.
For example, you can view the roles and the assignees for the
default
folder:yc resource-manager folder list-access-bindings default
Result:
+---------------------+----------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +---------------------+----------------+----------------------+ | editor | serviceAccount | ajepg0mjas06******** | | viewer | userAccount | aje6o61dvog2******** | +---------------------+----------------+----------------------+
In the server response, find all the rows where the subject contains the account ID, as well as those where the subject is the
All users
orAll authenticated users
public groups. -
Repeat the previous two steps for all the parent resources.
-
Get your account ID:
-
Get the resource ID or name.
-
View the roles and assignees for the resource using the
listAccessBindings
REST API method. For example, to view the roles for theb1gvmob95yys********
folder:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"
Result:
{ "accessBindings": [ { "subject": { "id": "ajei8n54hmfh********", "type": "userAccount" }, "roleId": "editor" } ] }
In the server response, find all the rows where the subject contains the account ID, as well as those where the subject is the
All users
orAll authenticated users
public groups. -
Repeat the previous two steps for all the parent resources.