Revoke a role for a resource

Written by

Updated at November 7, 2024

If you want to prevent a subject from accessing a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information, see How access management works in Yandex Cloud.

Revoking a role

Management console

CLI

Terraform

API

To revoke a role in the folder and its child resources:
1. On the start page of the management console, select the folder.
2. Go to the Access bindings tab.
3. Select a user from the list and click next to the username.
4. Click Edit roles.
5. Click next to the role you wish to revoke.
6. Click Save.
To revoke a role in the cloud:
1. On the start page of the management console, select the cloud.
2. Go to the Access bindings tab.
3. Select a user from the list and click next to the username.
4. Click Edit roles.
5. Click next to the role you wish to revoke.
6. Click Save.
To revoke all the folder or cloud roles at once:
1. On the management console home page, select a folder or a cloud.
2. Go to the Access bindings tab.
3. Select a user from the list and click next to the username.
4. If you want to revoke all of the user's roles in the cloud, click Remove bindings and confirm the revocation.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

To revoke a role from a subject, delete access permissions for the appropriate resource:

View the roles assigned for a resource:

yc <service_name> <resource_category> list-access-bindings <resource_name_or_ID>

Where:

<service_name>: Name of the service the resource belongs to, e.g., resource-manager.
<resource_category>: Resource category, e.g., folder.
<resource_name_or_ID>: Resource name or ID. You can specify a resource by its name or ID.

For example, you can view the roles and the assignees for the default folder:

yc resource-manager folder list-access-bindings default

Result:

+---------------------+----------------+----------------------+
|       ROLE ID       |  SUBJECT TYPE  |      SUBJECT ID      |
+---------------------+----------------+----------------------+
| editor              | serviceAccount | ajepg0mjas06******** |
| viewer              | userAccount    | aje6o61dvog2******** |
+---------------------+----------------+----------------------+

To delete access permissions, run this command:
```
yc <service_name> <resource_category> remove-access-binding <resource_name_or_ID> \
    --role <role_ID> \
    --subject <subject_type>:<subject_ID>
```
Where:
- --role: ID of the role to revoke, e.g., resource-manager.clouds.owner.
- <subject_type>: Subject type to revoke a role from.
- <subject_ID>: Subject ID.

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To revoke a resource role from a subject, find the resource description in the configuration file:

resource "yandex_resourcemanager_cloud_iam_binding" "admin" {
    cloud_id    = "<cloud_ID>"
    role        = "<role>"
    members     = [
    "serviceAccount:<service_account_ID>",
    "userAccount:<user_ID>",
    ]
}

Delete the record with information about the subject whose permissions you need to revoke from the members list of users.

For more information about the yandex_resourcemanager_cloud_iam_binding resource parameters, see the provider documentation.
Make sure the configuration files are correct.
1. In the command line, go to the folder where you created the configuration file.
2. Run a check using this command:
```
terraform plan
```
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
Deploy cloud resources.
1. If the configuration does not contain any errors, run this command:
```
terraform apply
```
2. Confirm creating the resources: type yes in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console or this CLI command:
```
yc resource-manager cloud list-access-bindings <cloud_name_or_ID>
```

To revoke a resource role from a subject, delete the relevant access permissions:

View the roles and assignees for the resource using the listAccessBindings REST API method. For example, to view the roles for the b1gvmob95yys******** folder:

export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaATEVAgA...
curl \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"

Result:

{
  "accessBindings": [
  {
    "subject": {
      "id": "ajei8n54hmfh********",
      "type": "userAccount"
    },
    "roleId": "editor"
  }
  ]
}

Create the request body, e.g., in the body.json file. In the request body, specify access permissions to delete. For example, revoke the editor role from the ajei8n54hmfh******** user:

body.json:

{
    "accessBindingDeltas": [{
        "action": "REMOVE",
        "accessBinding": {
            "roleId": "editor",
            "subject": {
                "id": "ajei8n54hmfh********",
                "type": "userAccount"
                }
            }
        }
    ]
}

Revoke a role by deleting the assigned permissions:

export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaAT********
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

Revoke a role for a resource

Revoking a roleRevoking a role

Was the article helpful?

Revoking a role