Configuring access permissions for a digital signature key pair
You can grant access to an asymmetric digital signature key pair to a user, service account, or user group. To do this, assign rolesfor the digital signature key pair. To choose the ones you need, learn about the service's roles.
Assigning a role
- In the management console
, select a folder containing an asymmetric encryption key pair. - In the list of services, select Key Management Service.
- In the left-hand panel, select Asymmetric keys.
- On the Signature tab, click the name of the key pair.
- Go to the
Access bindings section and click Assign bindings. - Select the group, user, or service account you want to grant access to the key pair.
- Click
Add role and select the roles. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign a role for an asymmetric digital signature key pair:
-
See the description of the CLI role assignment command:
yc kms asymmetric-signature-key add-access-binding --help
-
Get a list of digital signature key pairs with their IDs:
yc kms asymmetric-signature-key list
-
Get the ID of the user, service account, or user group you are assigning a role to.
-
Use one of these commands to assign a role:
-
To a user:
yc kms asymmetric-signature-key add-access-binding \ --id <key_pair_ID> \ --role <role> \ --user-account-id <user_ID>
-
To a federated user:
yc kms asymmetric-signature-key add-access-binding \ --id <key_pair_ID> \ --role <role> \ --subject federatedUser:<user_ID>
-
To a service account:
yc kms asymmetric-signature-key add-access-binding \ --id <key_pair_ID> \ --role <role> \ --service-account-id <service_account_ID>
-
To a user group:
yc kms asymmetric-signature-key add-access-binding \ --id <key_pair_ID> \ --role <role> \ --subject group:<group_ID>
-
Use the AsymmetricSignatureKeyService/UpdateAccessBindings gRPC API call and provide the following in the request:
ADD
in theaccess_binding_deltas[].action
parameter to add a role.- Role in the
access_binding_deltas[].access_binding.role_id
parameter. - ID of the subject you are assigning the role to in the
access_binding_deltas[].access_binding.subject.id
parameter. - Type of the subject you are assigning the role to in the
access_binding_deltas[].access_binding.subject.id
parameter.
Assigning multiple roles
- In the management console
, select a folder containing an asymmetric encryption key pair. - In the list of services, select Key Management Service.
- In the left-hand panel, select Asymmetric keys.
- On the Signature tab, click the name of the key pair.
- Go to the
Access bindings section and click Assign bindings. - Select the group, user, or service account you want to grant access to the key pair.
- Click
Add role and select the roles. - Click Save.
Alert
The set-access-bindings
command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign multiple roles for a digital signature key pair:
-
Make sure the key pair has no roles assigned that you would not want to lose:
yc kms asymmetric-signature-key list-access-bindings \ --id <key_pair_ID>
-
See the description of the CLI role assignment command:
yc kms asymmetric-signature-key set-access-bindings --help
-
Get a list of digital signature key pairs with their IDs:
yc kms asymmetric-signature-key list
-
Get the ID of the user, service account, or user group you are assigning roles to.
-
Use one of the commands below to assign roles:
-
To a Yandex account user:
yc kms asymmetric-signature-key set-access-bindings \ --id <key_pair_ID> \ --access-binding role=<role>,user-account-id=<user_ID>
-
To a federated user:
yc kms asymmetric-signature-key set-access-bindings \ --id <key_pair_ID> \ --access-binding role=<role>,subject=federatedUser:<user_ID>
-
To a service account:
yc kms asymmetric-signature-key set-access-bindings \ --id <key_pair_ID> \ --access-binding role=<role>,service-account-id=<service_account_ID>
-
To a user group:
yc kms asymmetric-signature-key set-access-bindings \ --id <key_pair_ID> \ --access-binding role=<role>,subject=group:<group_ID>
Provide a separate
--access-binding
flag for each role. Example:yc kms asymmetric-signature-key set-access-bindings \ --id <key_pair_ID> \ --access-binding role=<role_1>,service-account-id=<service_account_ID> \ --access-binding role=<role_2>,service-account-id=<service_account_ID> \ --access-binding role=<role_3>,service-account-id=<service_account_ID>
-
Alert
The setAccessBindings
method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.
Use the AsymmetricSignatureKeyService/SetAccessBindings gRPC API call. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:
- Role in the
access_bindings[].role_id
parameter. - ID of the subject you are assigning the roles to in the
access_bindings[].subject.id
parameter. - Type of the subject you are assigning the roles to in the
access_bindings[].subject.type
parameter.