Access management in Identity and Access Management

In this section, you will learn:

• What resources support role assignment.
• What roles exist in the service.
• What roles are required for specific actions.

Access managementAccess management

Yandex Identity and Access Management checks all operations in Yandex Cloud. If an entity does not have required permissions, this service returns an error.

To grant permissions for a resource, assign the appropriate resource roles to an entity performing operations, such as a Yandex account, service account, federated users, user group, system group, or public group. For more information, see How access management works in Yandex Cloud.

To assign a role for a resource, a user needs the iam.admin role or one of the following roles for that resource:

• admin
• resource-manager.admin
• organization-manager.admin
• resource-manager.clouds.owner
• organization-manager.organizations.owner

Resources supporing role assignmentResources supporing role assignment

You can assign a role to an organization, cloud, or folder. The roles assigned to organizations, clouds, and folders also apply to their nested resources.

You can assign a role for a service account in the management console or using the Yandex Cloud CLI, API, or Terraform.

Available service rolesAvailable service roles

The chart below shows service’s roles and their permission inheritance. For example, editor inherits all viewer permissions. You can find role descriptions under the chart.

Service rolesService roles

iam.serviceAccounts.useriam.serviceAccounts.user

The iam.serviceAccounts.user role enables viewing the list of service accounts and info on them, as well as performing operations on behalf of a service account.

For example, if you specify a service account when creating an instance group, IAM will check whether you have a permission to use this service account.

iam.serviceAccounts.adminiam.serviceAccounts.admin

The iam.serviceAccounts.admin role enables managing service accounts and access to them and their keys, as well as getting IAM tokens for service accounts.

Users with this role can:

• View the list of service accounts and info on them, as well as create, use, modify, and delete them.
• View info on access permissions assigned for service accounts and modify such permissions.
• Get IAM tokens for service accounts.
• View the list of service account API keys and info on them, as well as create, modify, and delete them.
• View the list of service account static access keys and info on them, as well as create, modify, and delete them.
• View info on service account authorized keys, as well as create, modify, and delete them.
• View info on the relevant folder and its settings.

For some services, e.g., Instance Groups or Managed Service for Kubernetes, you need a service account to perform operations. If you specified a service account in the request, IAM will check whether you have permissions to use this account.

iam.serviceAccounts.accessKeyAdminiam.serviceAccounts.accessKeyAdmin

The iam.serviceAccounts.accessKeyAdmin role enables managing static access keys for service accounts.

Users with this role can:

• View the list of service account static access keys and information on them.
• Create, update, and delete static access keys for service accounts.

iam.serviceAccounts.apiKeyAdminiam.serviceAccounts.apiKeyAdmin

The iam.serviceAccounts.apiKeyAdmin role enables managing API keys for service accounts.

Users with this role can:

• View the list of service account API keys and information on them.
• Create, update, and delete API keys for service accounts.

iam.serviceAccounts.authorizedKeyAdminiam.serviceAccounts.authorizedKeyAdmin

The iam.serviceAccounts.authorizedKeyAdmin role enables viewing info on service account authorized keys, as well as create, modify, and delete them.

iam.serviceAccounts.keyAdminiam.serviceAccounts.keyAdmin

The iam.serviceAccounts.keyAdmin role enables managing static access keys, API keys, and authorized keys for service accounts.

Users with this role can:

• View the list of service account static access keys and info on them, as well as create, modify, and delete them.
• View the list of service account API keys and info on them, as well as create, modify, and delete them.
• View info on service account authorized keys, as well as create, modify, and delete them.

This role also includes the iam.serviceAccounts.accessKeyAdmin, iam.serviceAccounts.apiKeyAdmin, and iam.serviceAccounts.authorizedKeyAdmin permissions.

iam.serviceAccounts.tokenCreatoriam.serviceAccounts.tokenCreator

The iam.serviceAccounts.tokenCreator role enables getting IAM tokens for service accounts.

With such an IAM token one can impersonate to a service account and perform operations allowed for it.

This role does not allow you to modify access permissions or delete a service account.

iam.serviceAccounts.federatedCredentialVieweriam.serviceAccounts.federatedCredentialViewer

The iam.serviceAccounts.federatedCredentialViewer role enables viewing the list of federation credentials in workload identity federations and info on such credentials.

iam.serviceAccounts.federatedCredentialEditoriam.serviceAccounts.federatedCredentialEditor

The iam.serviceAccounts.federatedCredentialEditor role enables viewing the list of federation credentials in workload identity federations and info on such credentials, as well as create and delete those.

This role also includes the iam.serviceAccounts.federatedCredentialViewer permissions.

iam.workloadIdentityFederations.auditoriam.workloadIdentityFederations.auditor

The iam.workloadIdentityFederations.auditor role enables viewing the workload identity federation metadata.

iam.workloadIdentityFederations.vieweriam.workloadIdentityFederations.viewer

The iam.workloadIdentityFederations.viewer role enables viewing info on workload identity federations.

This role also includes the iam.workloadIdentityFederations.auditor permissions.

iam.workloadIdentityFederations.useriam.workloadIdentityFederations.user

The iam.workloadIdentityFederations.user role enables using workload identity federations.

iam.workloadIdentityFederations.editoriam.workloadIdentityFederations.editor

The iam.workloadIdentityFederations.editor role enables viewing info on workload identity federations, as well as creating, modifying, and deleting such federations.

This role also includes the iam.workloadIdentityFederations.viewer permissions.

iam.workloadIdentityFederations.adminiam.workloadIdentityFederations.admin

The iam.workloadIdentityFederations.admin role enables viewing info on workload identity federations, as well as creating, modifying, using, and deleting such federations.

This role also includes the iam.workloadIdentityFederations.editor and iam.workloadIdentityFederations.user permissions.

iam.userAccounts.refreshTokenVieweriam.userAccounts.refreshTokenViewer

The iam.userAccounts.refreshTokenViewer role enables viewing the lists of federated users’ refresh tokens. To use this role, you need to assign it for an organization.

iam.userAccounts.refreshTokenRevokeriam.userAccounts.refreshTokenRevoker

The iam.userAccounts.refreshTokenRevoker role enables revoking federated users’ refresh tokens. To use this role, you need to assign it for an organization.

iam.auditoriam.auditor

The iam.auditor role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:

• View the list of service accounts and information on them.
• View info on access permissions assigned for service accounts.
• View the list of service account API keys and information on them.
• View the list of service account static access keys and information on them.
• View info on service account authorized keys.
• View the list of operations and the info on IAM resource operations.
• View info on Identity and Access Management quotas.
• View info on the relevant cloud and its settings.
• View info on the relevant folder and its settings.

iam.vieweriam.viewer

The iam.viewer role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:

• View the list of service accounts and information on them.
• View info on access permissions assigned for service accounts.
• View the list of service account API keys and information on them.
• View the list of service account static access keys and information on them.
• View info on service account authorized keys.
• View the list of operations and the info on IAM resource operations.
• View info on Identity and Access Management quotas.
• View info on the relevant cloud and its settings.
• View info on the relevant folder and its settings.

This role also includes the iam.auditor permissions.

iam.editoriam.editor

The iam.editor role allows you to manage service accounts and their keys, manage folders, and view info on IAM resource operations and quotas.

Users with this role can:

• View the list of service accounts and info on them, as well as create, use, modify, and delete them.
• View the list of service account API keys and info on them, as well as create, modify, and delete them.
• View the list of service account static access keys and info on them, as well as create, modify, and delete them.
• View info on service account authorized keys, as well as create, modify, and delete them.
• View info on access permissions assigned for service accounts.
• View the list of operations and the info on IAM resource operations.
• View info on Identity and Access Management quotas.
• View info on the relevant cloud and its settings.
• View info on the relevant folders and their settings.
• Create, modify, delete, and setup folders.

This role also includes the iam.viewer permissions.

iam.adminiam.admin

The iam.admin role enables managing service accounts and access to them and their keys, as well as managing folders, viewing info on IAM resource operations and quotas, and getting IAM tokens for service accounts.

Users with this role can:

• View the list of service accounts and info on them, as well as create, use, modify, and delete them.
• View info on access permissions assigned for service accounts and modify such permissions.
• Get IAM tokens for service accounts.
• View the list of service account API keys and info on them, as well as create, modify, and delete them.
• View the list of service account static access keys and info on them, as well as create, modify, and delete them.
• View info on service account authorized keys, as well as create, modify, and delete them.
• View info on identity federations.
• View the list of operations and the info on Identity and Access Management resource operations.
• View info on Identity and Access Management quotas.
• View info on the relevant cloud and its settings.
• View info on the relevant folders and their settings.
• Create, modify, delete, and setup folders.

This role also includes the iam.editor and iam.serviceAccounts.admin permissions.

Primitive rolesPrimitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditorauditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

• View info on a resource.
• View the resource metadata.
• View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewerviewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role also includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editoreditor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role also includes the viewer permissions.

adminadmin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role also includes the editor permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the least privilege principle.

For more information about primitive roles, see the Yandex Cloud role reference.

What roles do I needWhat roles do I need

The table below lists the roles required to perform a particular action. You can always assign a role with more permissions. For example, you can assign the editor role instead of viewer.

Action	Methods	Required roles
Viewing data
Getting an IAM token	create	None, authentication only
Viewing user data	get, getByLogin	None, authentication only
Viewing service account data	get, list, listOperations	iam.serviceAccounts.user or viewer for the service account
Viewing information about a folder or cloud	get, list	iam.auditor for the folder or cloud
Viewing information about any resource	get, list	viewer for the resource
Managing resources
Creating service accounts in the folder	create	iam.serviceAccounts.admin for the folder
Updating and deleting service accounts	update, delete	editor for the service account
Creating and deleting keys for a service account	create, delete	iam.serviceAccounts.accessKeyAdmin, iam.serviceAccounts.apiKeyAdmin, iam.serviceAccounts.authorizedKeyAdmin, iam.serviceAccounts.keyAdmin for the service account
Resource access management
Adding a new user to the cloud	setAccessBindings	admin for the cloud
Making a new user the owner of the cloud	setAccessBindings, updateAccessBindings	resource-manager.clouds.owner role for the cloud
Granting, revoking, and viewing assigned resource roles	setAccessBindings, updateAccessBindings, listAccessBindings	admin for the resource
Getting an IAM token for a service account	create	iam.serviceAccounts.tokenCreator for the service account

What's nextWhat's next

• How to assign a role.
• How to revoke a role.
• Learn more about access management in Yandex Cloud.
• Learn more about role inheritance.