Revoke a role for a resource
If you want to prevent a subject from accessing a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information, see How access management works in Yandex Cloud.
Revoking a role
-
To revoke a role in the folder and its child resources:
- On the start page
of the management console, select the folder. - Go to the Access bindings tab.
- Select a user from the list and click
next to the username. - Click Edit roles.
- Click
next to the role you wish to revoke. - Click Save.
- On the start page
-
To revoke a role in the cloud:
- On the start page
of the management console, select the cloud. - Go to the Access bindings tab.
- Select a user from the list and click
next to the username. - Click Edit roles.
- Click
next to the role you wish to revoke. - Click Save.
- On the start page
-
To revoke all the folder or cloud roles at once:
- On the management console home page
, select a folder or a cloud. - Go to the Access bindings tab.
- Select a user from the list and click
next to the username. - If you want to revoke all of the user's roles in the cloud, click Remove bindings and confirm the revocation.
- On the management console home page
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
To revoke a role from a subject, delete access permissions for the appropriate resource:
-
View the roles assigned for a resource:
yc <service_name> <resource_category> list-access-bindings <resource_name_or_ID>
Where:
<service_name>
: Name of the service the resource belongs to, e.g.,resource-manager
.<resource_category>
: Resource category, e.g.,folder
.<resource_name_or_ID>
: Resource name or ID. You can specify a resource by its name or ID.
For example, you can view the roles and the assignees for the
default
folder:yc resource-manager folder list-access-bindings default
Result:
+---------------------+----------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +---------------------+----------------+----------------------+ | editor | serviceAccount | ajepg0mjas06******** | | viewer | userAccount | aje6o61dvog2******** | +---------------------+----------------+----------------------+
-
To delete access permissions, run this command:
yc <service_name> <resource_category> remove-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject <subject_type>:<subject_ID>
Where:
--role
: ID of the role to revoke, e.g.,resource-manager.clouds.owner
.<subject_type>
: Subject type to revoke a role from.<subject_ID>
: Subject ID.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
To revoke a resource role from a subject, find the resource description in the configuration file:
resource "yandex_resourcemanager_cloud_iam_binding" "admin" { cloud_id = "<cloud_ID>" role = "<role>" members = [ "serviceAccount:<service_account_ID>", "userAccount:<user_ID>", ] }
-
Delete the record with information about the subject whose permissions you need to revoke from the
members
list of users.For more information about the
yandex_resourcemanager_cloud_iam_binding
resource parameters, see the provider documentation . -
Make sure the configuration files are correct.
- In the command line, go to the folder where you created the configuration file.
- Run a check using this command:
terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:yc resource-manager cloud list-access-bindings <cloud_name_or_ID>
-
To revoke a resource role from a subject, delete the relevant access permissions:
-
View the roles and assignees for the resource using the
listAccessBindings
REST API method. For example, to view the roles for theb1gvmob95yys********
folder:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaATEVAgA... curl -H "Authorization: Bearer ${IAM_TOKEN}" "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"
Result:
{ "accessBindings": [ { "subject": { "id": "ajei8n54hmfh********", "type": "userAccount" }, "roleId": "editor" } ] }
-
Create the request body, e.g., in the
body.json
file. In the request body, specify access permissions to delete. For example, revoke theeditor
role from theajei8n54hmfh********
user:body.json:
{ "accessBindingDeltas": [{ "action": "REMOVE", "accessBinding": { "roleId": "editor", "subject": { "id": "ajei8n54hmfh********", "type": "userAccount" } } } ] }
-
Revoke a role by deleting the assigned permissions:
export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"