Assigning roles
To grant access to a resource, assign a role for it. You can assign a role to:
You can assign a role not only for the resource itself but also for its parent resource, as the former inherits access permissions from the latter. For example, if a service account gets a role for a cloud, it will also get permissions for all resources across the cloud's folders. For more information, see How access management works in Yandex Cloud.
Learn which resources you can assign a role for.
To select roles, look them up in the role reference.
Assigning a role for a cloud
- In the management console
, select the cloud or folder. - Go to the Access bindings tab.
- Click Configure access.
- Select the group, user, or service account you want to grant access to a cloud or folder.
- Click
Add role and select the required roles. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign a role for a cloud or folder:
-
See the description of the CLI role assignment command:
yc resource-manager <cloud_or_folder> add-access-binding --help
Specify
cloud
for a cloud orfolder
for a folder. -
Get a list of available clouds or folders with their IDs:
yc resource-manager <cloud_or_folder> list
-
Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.
-
Use one of these commands to assign a role:
-
To a Yandex account user:
yc resource-manager <cloud_or_folder> add-access-binding \ --id <cloud_or_folder_ID> \ --role <role> \ --user-account-id <user_ID>
-
To a federated user:
yc resource-manager <cloud_or_folder> add-access-binding \ --id <cloud_or_folder_ID> \ --role <role> \ --subject federatedUser:<user_ID>
-
To a service account:
yc resource-manager <cloud_or_folder> add-access-binding \ --id <cloud_or_folder_ID> \ --role <role> \ --service-account-id <service_account_ID>
-
To a user group:
yc resource-manager <cloud_or_folder> add-access-binding \ --id <cloud_or_folder_ID> \ --role <role> \ --subject group:<group_ID>
-
To all users of an organization:
yc resource-manager <cloud_or_folder> add-access-binding \ --id <cloud_or_folder_ID> \ --role <role> \ --organization-users <organization_ID>
-
To all users of an identity federation:
yc resource-manager <cloud_or_folder> add-access-binding \ --id <cloud_or_folder_ID> \ --role <role> \ --federation-users <federation_ID>
-
To assign a role for a cloud, use the updateAccessBindings REST API method for the Cloud resource or the CloudService/UpdateAccessBindings gRPC API call.
To assign a role for a folder, use the updateAccessBindings REST API method for the Folder resource or the FolderService/UpdateAccessBindings gRPC API call.
Provide the following in the request:
ADD
value in theaccessBindingDeltas[].action
parameter to add a role.- Role in the
accessBindingDeltas[].accessBinding.roleId
parameter. - ID of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.id
parameter. - Type of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.type
parameter.
Assigning a role for an organization
To grant access permissions for an organization, you need the organization-manager.admin
role or higher. To learn more about the role sequence, see the Yandex Cloud Organization document.
To assign a role for an organization:
-
Log in to Yandex Cloud Organization
using an administrator or organization owner account. -
In the left-hand panel, select
Access bindings. -
If the user, service account, or user group you need already has at least one role assigned, click
in the row with that user, service account, or group and select Assign bindings.If the user, service account, or user group is not on the list, click Assign bindings in the top-right corner. In the window that opens, select the user, service account, or group from the list. If required, use the search bar.
-
Click
Add role and select the role to assign. You can assign multiple roles.You can find the description of the available roles in the Yandex Cloud role reference.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign a role for an organization:
-
See the description of the CLI role assignment command:
yc organization-manager organization add-access-binding --help
-
Get a list of available organizations with their IDs:
yc organization-manager organization list
-
Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.
-
Use one of these commands to assign a role:
-
To a Yandex account user:
yc organization-manager organization add-access-binding \ --id <organization_ID> \ --role <role> \ --user-account-id <user_ID>
-
To a federated user:
yc organization-manager organization add-access-binding \ --id <organization_ID> \ --role <role> \ --subject federatedUser:<user_ID>
-
To a service account:
yc organization-manager organization add-access-binding \ --id <organization_ID> \ --role <role> \ --service-account-id <service_account_ID>
-
To all users of an organization:
yc organization-manager organization add-access-binding \ --id <organization_ID> \ --role <role> \ --organization-users <organization_ID>
-
To all users of an identity federation:
yc organization-manager organization add-access-binding \ --id <organization_ID> \ --role <role> \ --federation-users <federation_ID>
-
If you don't have Terraform, install it and configure the Yandex Cloud provider.
To assign a role for an organization:
-
Get the ID of the user, service account, or user group you are assigning a role to.
-
Describe the resource with the role for the organization in the configuration file.
Here is an example of the configuration file structure:
resource "yandex_organizationmanager_organization_iam_binding" "<resource_name>" { organization_id = "<organization_ID>" role = "<role>" members = [<users>] }
Where:
-
organization_id
: Organization ID. This is a required parameter. -
role
: Role you want to assign. For each role, you can only use oneyandex_organizationmanager_organization_iam_binding
resource. This is a required parameter. -
members
: Users getting the role. Specify the following:members = ["userAccount:<user_ID>"]
: For a user with a Yandex account.members = ["federatedUser:<user_ID>"]
: For a federated user.members = ["serviceAccount:<user_ID>"]
: For a service account.members = ["group:<user_ID>"]
: For a user group.members = ["system:group:organization:<organization_ID>:users"]
: For all organization users.members = ["system:group:federation:<federation_ID>:users"]
: For all identity federation users.
For more information, see the provider documentation
. -
-
Make sure the settings are correct.
-
Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.
-
Run the command:
terraform validate
If there are errors in the configuration files, Terraform will point to them.
-
-
Assign the role.
-
Run the command to view planned changes:
terraform plan
If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.
-
If you are happy with the planned changes, apply them:
-
Run the command:
terraform apply
-
Confirm the update of resources.
-
Wait for the operation to complete.
-
This will create the necessary resources in the organization. You can check the new resources using the management console
or this CLI command:yc organization-manager organization list-access-bindings <organization_name_or_ID>
-
To assign a role for the organization, use the updateAccessBindings REST API method for the Organization resource or the OrganizationService/UpdateAccessBindings gRPC API call and provide the following in the request:
ADD
value in theaccessBindingDeltas[].action
parameter to add a role.- Role in the
accessBindingDeltas[].accessBinding.roleId
parameter. - ID of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.id
parameter. - Type of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.type
parameter.
Assigning a role for a resource
You can assign a role not only for an organization, cloud, or folder but their child resources as well. These are listed in List of resources you can assign roles for.
To assign a role for a resource:
- In the management console
, select the folder the resource resides in. - Open its page.
- Go to
Access bindings and click Assign bindings. - Select the group, user, or service account you want to grant access to a resource.
- Click
Add role and select the required roles. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign a role for a resource:
-
See the description of the CLI role assignment command:
yc <service_name> <resource> add-access-binding --help
Example for a Yandex Compute Cloud VM:
yc compute instance add-access-binding --help
-
Get a list of resources with their IDs:
yc <service_name> <resource> list
-
Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.
-
Use one of these commands to assign a role:
-
To a Yandex account user:
yc <service_name> <resource> add-access-binding \ --id <resource_ID> \ --role <role> \ --user-account-id <user_ID>
-
To a federated user:
yc <service_name> <resource> add-access-binding \ --id <resource_ID> \ --role <role> \ --subject federatedUser:<user_ID>
-
To a service account:
yc <service_name> <resource> add-access-binding \ --id <resource_ID> \ --role <role> \ --service-account-id <service_account_ID>
-
To a user group:
yc <service_name> <resource> add-access-binding \ --id <resource_ID> \ --role <role> \ --subject group:<group_ID>
-
To all users of an organization:
yc <service_name> <resource> add-access-binding \ --id <resource_ID> \ --role <role> \ --organization-users <organization_ID>
-
To all users of an identity federation:
yc <service_name> <resource> add-access-binding \ --id <resource_ID> \ --role <role> \ --federation-users <federation_ID>
-
To assign a role for a resource, use the updateAccessBindings
REST API method or gRPC API call for the resource and provide the following in the request:
ADD
value in theaccessBindingDeltas[].action
parameter to add a role.- Role in the
accessBindingDeltas[].accessBinding.roleId
parameter. - ID of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.id
parameter. - Type of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.type
parameter.
Assigning multiple roles
- In the management console
, select the folder the resource resides in. - Open its page.
- Go to
Access bindings and click Assign bindings. - Select the group, user, or service account you want to grant access to a resource.
- Click
Add role and select the required roles. - Click Save.
Alert
The set-access-bindings
command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign multiple roles for a resource:
-
Make sure the resource has no roles assigned that you would not want to lose:
yc <service_name> <resource> list-access-bindings \ --id <resource_ID>
Example for a Yandex Compute Cloud VM:
yc compute instance list-access-bindings \ --id <VM_ID>
-
See the description of the CLI role assignment command:
yc <service_name> <resource> set-access-bindings --help
-
Get a list of resources with their IDs:
yc <service_name> <resource> list
-
Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.
-
Use one of the commands below to assign roles:
-
To a Yandex account user:
yc <service_name> <resource> set-access-bindings \ --id <resource_ID> \ --access-binding role=<role>,user-account-id=<user_ID>
-
To a federated user:
yc <service_name> <resource> set-access-bindings \ --id <resource_ID> \ --access-binding role=<role>,subject=federatedUser:<user_ID>
-
To a service account:
yc <service_name> <resource> set-access-bindings \ --id <resource_ID> \ --access-binding role=<role>,service-account-id=<service_account_ID>
-
To a user group:
yc <service_name> <resource> set-access-bindings \ --id <resource_ID> \ --access-binding role=<role>,subject=group:<group_ID>
-
To all users of an organization:
yc <service_name> <resource> set-access-bindings \ --id <resource_ID> \ --access-binding role=<role>,subject=system:group:organization:<organization_ID>:users
-
To all users of an identity federation:
yc <service_name> <resource> set-access-bindings \ --id <resource_ID> \ --access-binding role=<role>,subject=system:group:federation:<federation_ID>:users
Provide a separate
--access-binding
flag for each role. Example:yc <service_name> <resource> set-access-bindings \ --id <resource_ID> \ --access-binding role=<role_1>,service-account-id=<service_account_ID> \ --access-binding role=<role_2>,service-account-id=<service_account_ID> \ --access-binding role=<role_3>,service-account-id=<service_account_ID>
-
Alert
The setAccessBindings
method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.
To assign multiple roles for a resource, use the setAccessBindings
REST API method or gRPC API call for the resource. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:
- Role in the
accessBindings[].roleId
parameter. - ID of the subject getting the roles in the
accessBindings[].subject.id
parameter. - Type of the subject getting the roles in the
accessBindings[].subject.type
parameter.