Viewing assigned roles

Written by

Updated at September 20, 2024

To view the permissions granted to an account for a resource, retrieve the list of roles assigned for the resource and its parent resources. Assigned roles will be inherited by child resources from their parent resources. For example, if you want to find out what permissions an account has for the folder, look at the roles:

For that folder.
For the cloud that the folder belongs to.
For the organization that the cloud belongs to.

You can view a list of inherited roles for the folder or the cloud in the management console, in the Access bindings section of the folder or cloud.

Learn which resources you can assign a role for.

To view assigned roles:

Management console

CLI

API

To view the roles of a user with a Yandex account, federated user, or service account for a cloud:

On the left-hand panel, select a cloud.
Click the Access bindings tab.
Find the required user in the list. Assigned roles are specified in the Roles column.

To view the roles of a service account for a folder and its child resources:

In the management console, navigate to the folder the service account belongs to.
At the top of the screen, go to the Service accounts tab.
The service account's roles are listed in the Roles in folder column.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

Get your account ID:
1. Guide for service accounts.
2. Guide for users with a Yandex account and federated users.
Get the resource ID or name.
View the roles assigned for a resource:
```
yc <service_name> <resource_category> list-access-bindings <resource_name_or_ID>
```
Where:
- <service_name>: Name of the service the resource belongs to, e.g., resource-manager.
- <resource_category>: Resource category, e.g., folder.
- <resource_name_or_ID>: Resource name or ID. You can specify a resource by its name or ID.
For example, you can view the roles and the assignees for the default folder:
```
yc resource-manager folder list-access-bindings default
```
Result:
```
+---------------------+----------------+----------------------+
|       ROLE ID       |  SUBJECT TYPE  |      SUBJECT ID      |
+---------------------+----------------+----------------------+
| editor              | serviceAccount | ajepg0mjas06******** |
| viewer              | userAccount    | aje6o61dvog2******** |
+---------------------+----------------+----------------------+
```
In the server response, find all the rows where the subject contains the account ID, as well as those where the subject is the All users or All authenticated users public groups.
Repeat the previous two steps for all the parent resources.

Get your account ID:
1. Guide for service accounts.
2. Guide for users with a Yandex account and federated users.
Get the resource ID or name.

View the roles and assignees for the resource using the listAccessBindings REST API method. For example, to view the roles for the b1gvmob95yys******** folder:

export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaATEVAgA...
curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"

Result:

{
  "accessBindings": [
  {
    "subject": {
      "id": "ajei8n54hmfh********",
      "type": "userAccount"
    },
    "roleId": "editor"
  }
  ]
}

In the server response, find all the rows where the subject contains the account ID, as well as those where the subject is the All users or All authenticated users public groups.

Repeat the previous two steps for all the parent resources.

Viewing assigned roles

See also

Was the article helpful?

Viewing assigned roles

See alsoSee also

Was the article helpful?

See also