Getting started with IAM
To get started with IAM, add a user to your organization and grant them access to a resource in one of your clouds. Learn more about organizations, resources, and users.
Getting started
-
Log in to the management console. If not signed up yet, navigate to the management console and follow the instructions.
-
Make sure that you have the required roles:
-
In the management console, select the appropriate cloud from the list on the left. For example:
-
Go to the Access bindings tab.
-
Specify your account in the search bar.
-
Check that your account has the following roles:
- Organization owner (
organization-manager.organizations.owner) or organization administrator (organization-manager.admin). - Cloud owner (
resource-manager.clouds.owner) or cloud administrator (admin).
- Organization owner (
-
-
On the Billing page, make sure you have a billing account linked and it has the
ACTIVEorTRIAL_ACTIVEstatus. If you do not have a billing account yet, create one. -
If you do not have any users to add to the cloud, you can create a new account on Yandex and grant this account access to the cloud.
Add a user with a Yandex account to your organization
-
Log in to the cloud administrator account.
-
Log in to the management console.
-
Select the appropriate cloud from the list on the left.
-
Go to the Access bindings tab.
-
In the top-right corner, click and select Invite users.
-
Enter the email addresses of the users you want to invite to the organization (e.g.,
login@yandex.ru).You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.
-
Click Send invitation.
The user will be able to log in to the organization upon accepting the invitation via the emailed link and selecting an account for log-in. To access the services enabled for the organization, the users you invited simply need to log in to their Yandex account.
Assign roles to the user
To specify which operations the user can perform, assign relevant roles to the user. For example, allow the user to view cloud resources and manage a folder:
-
Assign the user a role in the cloud:
- In the management console, on the left, select a cloud.
- Go to the Access bindings tab.
- Click Configure access.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click Add role.
- Select the
resource-manager.viewerrole. This role enables you to read cloud information, including the access rights list. - Click Save.
-
Assign the user a role in the folder:
- In the management console, select the appropriate folder.
- Go to the Access bindings tab.
- Click Configure access.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click Add role.
- Select the
resource-manager.editorrole. This role enables you to read folder information, including the access rights list, as well as edit and delete the folder. - Click Save.
Revoke assigned roles
If the assigned roles are no longer needed, revoke them:
-
To revoke a role only in the folder:
- On the start page of the management console, select the folder.
- Go to the Access bindings tab.
- Select a user from the list and click next to the username.
- Click Edit roles.
- Click next to the role you wish to revoke.
- Click Save.
-
To revoke a role in the cloud:
- On the start page of the management console, select the cloud.
- Go to the Access bindings tab.
- Select a user from the list and click next to the username.
- Click Edit roles.
- Click next to the role you wish to revoke.
- Click Save.
What's next
- The step-by-step guides will help you perform specific tasks in Identity and Access Management.
- Learn about access management in Yandex Cloud.
- See the best practices for using Yandex Cloud securely.
- Learn how to get started with Cloud Organization.
- Learn about authentication in Yandex Cloud.
- Learn how to work with service accounts.
- See answers to frequently asked questions.