Contact UsGet started

Configuring access permissions for a digital signature key pair

Written by
Updated at May 13, 2025

You can grant access to an asymmetric digital signature key pair to a user, service account, or user group. To do this, assign rolesfor the digital signature key pair. To choose the ones you need, learn about the service's roles.

Assigning a role

  1. In the management console, select a folder containing an asymmetric encryption key pair.
  2. In the list of services, select Key Management Service.
  3. In the left-hand panel, select Asymmetric keys.
  4. On the Signature tab, click the name of the key pair.
  5. Go to Access bindings and click Assign roles.
  6. Select the group, user, or service account you want to grant access to the key pair.
  7. Click Add role and select the required roles.
  8. Click Save.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign a role for an asymmetric digital signature key pair:

  1. See the description of the CLI role assignment command:

    yc kms asymmetric-signature-key add-access-binding --help

  2. Get a list of digital signature key pairs with their IDs:

    yc kms asymmetric-signature-key list

  3. Get the ID of the user, service account, or user group you are assigning a role to.

  4. Use one of these commands to assign a role:

    • To a user:

      yc kms asymmetric-signature-key add-access-binding \
  --id <key_pair_ID> \
  --role <role> \
  --user-account-id <user_ID>

    • To a federated user:

      yc kms asymmetric-signature-key add-access-binding \
  --id <key_pair_ID> \
  --role <role> \
  --subject federatedUser:<user_ID>

    • To a service account:

      yc kms asymmetric-signature-key add-access-binding \
  --id <key_pair_ID> \
  --role <role> \
  --service-account-id <service_account_ID>

    • To a user group:

      yc kms asymmetric-signature-key add-access-binding \
  --id <key_pair_ID> \
  --role <role> \
  --subject group:<group_ID>

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To assign a role for an asymmetric digital signature key pair through Terraform:

  1. In the Terraform configuration file, define the parameters of the resources you want to create:

    resource "yandex_kms_asymmetric_signature_key" "key-viewers" {
  asymmetric_signaturen_key_id  = "<key_pair_ID>"
  role                          = "<role_1>"
  members                       = ["<subject_type>:<subject_ID>"]
}

    Where:

    • asymmetric_signaturen_key_id : ID of the digital signature key pair.
    • role: Role.
    • members: List of types and IDs of subjects getting the role. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>.

    For more information about the yandex_kms_asymmetric_signature_key resource properties, see the provider documentation.

  2. Create the resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

    Terraform will create all required resources. You can check the new resources using this CLI command:

    yc kms asymmetric-signature-key list-access-bindings <key_pair_ID>

Use the updateAccessBindings method for the AsymmetricSignatureKey resource or the AsymmetricSignatureKeyService/UpdateAccessBindings gRPC API call and provide the following in the request:

  • ADD value in the access_binding_deltas[].action parameter to add a role.
  • Role in the access_binding_deltas[].access_binding.role_id parameter.
  • ID of the subject you are assigning the role to in the access_binding_deltas[].access_binding.subject.id parameter.
  • Type of the subject you are assigning the role to in the access_binding_deltas[].access_binding.subject.type parameter.

Assigning multiple roles

  1. In the management console, select a folder containing an asymmetric encryption key pair.
  2. In the list of services, select Key Management Service.
  3. In the left-hand panel, select Asymmetric keys.
  4. On the Signature tab, click the name of the key pair.
  5. Go to Access bindings and click Assign roles.
  6. Select the group, user, or service account you want to grant access to the key pair.
  7. Click Add role and select the required roles.
  8. Click Save.

Alert

The set-access-bindings command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign multiple roles for a digital signature key pair:

  1. Make sure the key pair has no roles assigned that you would not want to lose:

    yc kms asymmetric-signature-key list-access-bindings \
  --id <key_pair_ID>

  2. See the description of the CLI role assignment command:

    yc kms asymmetric-signature-key set-access-bindings --help

  3. Get a list of digital signature key pairs with their IDs:

    yc kms asymmetric-signature-key list

  4. Get the ID of the user, service account, or user group you are assigning roles to.

  5. Use one of the commands below to assign roles:

    • To a Yandex account user:

      yc kms asymmetric-signature-key set-access-bindings \
  --id <key_pair_ID> \
  --access-binding role=<role>,user-account-id=<user_ID>

    • To a federated user:

      yc kms asymmetric-signature-key set-access-bindings \
  --id <key_pair_ID> \
  --access-binding role=<role>,subject=federatedUser:<user_ID>

    • To a service account:

      yc kms asymmetric-signature-key set-access-bindings \
  --id <key_pair_ID> \
  --access-binding role=<role>,service-account-id=<service_account_ID>

    • To a user group:

      yc kms asymmetric-signature-key set-access-bindings \
  --id <key_pair_ID> \
  --access-binding role=<role>,subject=group:<group_ID>

    Provide a separate --access-binding flag for each role. For example:

    yc kms asymmetric-signature-key set-access-bindings \
  --id <key_pair_ID> \
  --access-binding role=<role1>,service-account-id=<service_account_ID> \
  --access-binding role=<role2>,service-account-id=<service_account_ID> \
  --access-binding role=<role3>,service-account-id=<service_account_ID>

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To assign multiple roles for an asymmetric digital signature key pair through Terraform:

  1. In the Terraform configuration file, define the parameters of the resources you want to create:

    # Role 1
resource "yandex_kms_asymmetric_signature_key" "key-viewers" {
  asymmetric_signaturen_key_id = "<key_pair_ID>"
  role                         = "<role_1>"
  members                      = ["<subject_type>:<subject_ID>"]
}

# Role 2
resource "yandex_kms_asymmetric_signature_key" "key-editors" {
  asymmetric_signaturen_key_id = "<key_pair_ID>"
  role                         = "<role_2>"
  members                      = ["<subject_type>:<subject_ID>"]
}

    Where:

    • asymmetric_signaturen_key_id: ID of the digital signature key pair.
    • role: Role.
    • members: List of types and IDs of subjects getting the role. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>.

    For more information about the yandex_kms_asymmetric_signature_key resource properties, see the provider documentation.

  2. Create the resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

    Terraform will create all required resources. You can check the new resources using this CLI command:

    yc kms asymmetric-signature-key list-access-bindings <key_pair_ID>

Alert

The setAccessBindings method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

Use the SetAccessBindings method for the AsymmetricSignatureKey resource or the AsymmetricSignatureKeyService/SetAccessBindings gRPC API call. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:

  • Role in the access_bindings[].role_id parameter.
  • ID of the subject getting the roles in the access_bindings[].subject.id parameter.
  • Type of the subject getting the roles in the access_bindings[].subject.type parameter.
Previous
Digital signature key pair
Next
Digital signature and its verification