Contact UsGet started

Managing rights to access log groups

Written by
Updated at October 17, 2024

You can see what roles are assigned for a log group, revoke them, or assign new roles.

Note

The default log group inherits the roles assigned for the folder that it is located in. To update its access rights, assign or revoke folder roles.

Viewing roles assigned for a log group

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To view the roles assigned for a custom log group, run this command:

yc logging group list-access-bindings --name=<log_group_name>

Result:

+---------+--------------+-----------------------+
| ROLE ID | SUBJECT TYPE |      SUBJECT ID       |
+---------+--------------+-----------------------+
| editor  | system       | allAuthenticatedUsers |
+---------+--------------+-----------------------+

To view the roles assigned for a custom log group, use the listAccessBindings REST API method for the LogGroup resource or the LogGroupService/ListAccessBindings gRPC API call.

Assigning roles for a log group

To assign a role to a custom log group, run this command:

  • User:

    yc logging group add-access-binding \
  --name <log_group_name> \
  --user-account-id <user_ID> \
  --role <role>

    Result:

    done (1s)

  • Service account:

    yc logging group add-access-binding \
  --name <log_group_name> \
  --service-account-id <service_account_ID> \
  --role <role>

    Result:

    done (1s)

  • All authorized users (the All authenticated users public group):

    yc logging group add-access-binding \
  --name <log_group_name> \
  --all-authenticated-users \
  --role <role>

    Result:

    done (1s)

To assign roles for a custom log group, use the setAccessBindings REST API method for the LogGroup resource or the LogGroupService/SetAccessBindings gRPC API call.

Revoking roles assigned for a log group

To revoke a role assigned for a custom log group, run the command:

  • User:

    yc logging group remove-access-binding \
  --name <log_group_name> \
  --user-account-id <user_ID> \
  --role <role>

    Result:

    done (1s)

  • Service account:

    yc logging group remove-access-binding \
  --name <log_group_name> \
  --service-account-id <service_account_ID> \
  --role <role>

    Result:

    done (1s)

  • All authorized users (the All authenticated users public group):

    yc logging group remove-access-binding \
  --name <log_group_name> \
  --all-authenticated-users \
  --role <role>

    Result:

    done (1s)

To revoke roles assigned to a custom log group, use the updateAccessBindings REST API method for the LogGroup resource or the LogGroupService/UpdateAccessBindings gRPC API call.

Previous
Reading records
Next
Getting a list of log groups