Getting started with Identity and Access Management

Yandex Identity and Access Management allows you to manage access to Yandex Cloud resources. With IAM, only users with relevant access permissions can perform operations on resources.

Yandex Cloud resource model

All Yandex Cloud services work are based on a common resource and role model. When using Yandex Cloud services, you create resources: VMs, managed database clusters, registries, secrets, and more. Most services store the resources they create in folders. Folders belong to clouds, and clouds belong to organizations.

Organizations are logical entities that combine different types of resources and users into a single workspace. Organizations do not interact between themselves: their resources are isolated from one another.

Within an organization, you can configure access permissions for a resource at the following levels:

• Organization.
• Cloud.
• Folder.
• Individual resource if the relevant service supports such granular access management.

This approach enables the minimum privilege principle, wherein users get only those permissions that are essential for their tasks.

Access management

Access management in Yandex Cloud leverages the Role Based Access Control (RBAC) policy. To grant access to a resource, you assign roles for the resource to the subjects. You can also assign a role to a parent resource from which child resources inherit their access permissions. For example, you can assign a role for a folder or cloud the VMs reside in.

In Yandex Cloud, roles and resources for which roles can be assigned are predefined. Users cannot create custom roles.

Roles can be assigned only by users with at least the primitive admin role or the <service_name>.admin role for an individual resource or one of its parent resources. The level of permissions granted by a user cannot be higher than the user's own.

If you want to prevent a subject from accessing a resource, revoke the relevant roles for this resource as well as for the resources access permissions can be inherited from.

Yandex Cloud role model subjects

Roles for a resource are assigned to subjects. Each subject can get multiple roles.

There are the following subject types:

• Yandex account: Your Yandex or Yandex 360 account.
• Service account: Additional account programs can use to perform operations in Yandex Cloud. Service accounts are free of charge and enable flexible access management for your programs.
• Federated account: User account in an identity federation, e.g., Active Directory.
• User group: Group of users with the same access permissions.
• System group: User group preinstalled in IAM.

Working with Yandex Cloud Organization

IAM and Yandex Cloud Organization are closely related because Cloud Organization also provides access management features – but at the organization level. For example, you can use Cloud Organization for centralized user management, which includes inviting new users.

You can also create federations and manage them to pass single sign-on authentication in Yandex Cloud via your identity provider.

User group management also takes place in Cloud Organization. For example, you can use the service to issue access permissions to a group. To use other Yandex Cloud interfaces to set up group access permissions, first create a group and add members to it in Cloud Organization. With that done, you will be able to manage the group in many ways, e.g., give it permissions for a folder in the management console.

What's next

• Learn how to get started with Cloud Organization.
• Read about billing accounts: what they are for and how to create one.
• Learn about resources and access management Yandex Cloud.
• Learn how to manage access to resources.
• See what account types exist in Yandex Cloud and how to work with service accounts.
• Read about authentication methods in Yandex Cloud.