Contact UsGet started

Adding a user

Written by
Updated at May 5, 2025

Add a user to your organization and grant them the role needed to access Yandex Cloud resources. For example, enable the user to create managed DB clusters or track the status of VMs in use.

You can add users with a Yandex account as well as federated users. To do this, you need to be the organization administrator (organization-manager.admin role) or owner (organization-manager.organizations.owner role). To learn how to grant a role to a user, see Assigning roles.

Note

To enable a user to access the management console, assign them a role for the cloud or organization. For added security, you can assign one of the least priveleged roles, such as resource-manager.clouds.member. However, you may also assign other roles if you know which permissions you want to grant to the invited users.

To grant these permissions to all the organization users at once, assign the role to the All users in organization X system group. When using the CLI or API, no additional roles are required.

Yandex account users

If your employees have Yandex accounts, e.g., login@yandex.ru, they can use them to access Yandex Cloud services enabled in your organization.

You can invite a user to an organization via the management console or the Cloud Center interface. An invitation to join your organization will be sent to the user's email address.

Send an invitation

  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Users.

  3. In the top-right corner, click Invite users with a Yandex account.

  4. Enter the email addresses of the users you want to invite to the organization (e.g., login@yandex.ru).

    You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.

  5. Click Send invitation.

  1. Log in to the management console with the cloud administrator account.

  2. Select the appropriate cloud from the list on the left. Example:

    image

  3. In the top-right corner, click and select Invite users.

  4. Enter the email addresses of the users you want to invite to the organization (e.g., login@yandex.ru).

    You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.

  5. Click Send invitation.

The user will be able to log in to the organization upon accepting the invitation via the emailed link and selecting an account for log-in. To access the services enabled for the organization, the users you invited simply need to log in to their Yandex account.

You can delete or resend your invitation only via Cloud Organization.

Delete the invitation

  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Users.

  3. Select the Invitations tab in the center of the screen.

  4. In the row with the invitation, click and select Delete invitation.

  5. In the window that opens, confirm the deletion.

Resend your invitation

  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Users.

  3. Select the Invitations tab in the center of the screen.

  4. In the row with the invitation, click and select Resend.

  5. In the window that opens, confirm resending the invitation.

Note

To better safeguard your resources from unauthorized access, enable Yandex ID two-factor authentication. Also, request users you add to your organization to enable it.

Federated users

If you did not enable the Automatically create users option when setting up a federation, you will have to add federated users to your organization manually.

To do this, you need to know the user name IDs returned by the Identity Provider (IdP) server together with the successful authentication response. This will usually be the user's email address. To find out what the server returns as the name ID, contact the administrator who configured authentication for your federation.

If the Automatically create users option is enabled, a federation will only add users logging in to a cloud for the first time. If a federated user has been removed, they can only be added again manually.

You do not need to invite federated users to the organization; they are added automatically after logging in.

Add federated users

  1. Go to Yandex Cloud Organization.

  2. In the left-hand panel, select Users.

  3. In the top-right corner, click More and select Add federated users.

  4. Select the identity federation to add users from.

  5. List the name IDs of users, separating them with spaces or line breaks.

  6. Click Add. This will give the users access to the organization.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View a description of the add user command:

    yc organization-manager federation saml add-user-accounts --help

  2. Add users by listing their name IDs separated by a comma:

    yc organization-manager federation saml add-user-accounts \
   --name <federation_name> \
   --name-ids <list_of_user_name_IDs>

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. In the configuration file, describe the parameters of the resources you want to create:

    resource "yandex_organizationmanager_saml_federation_user_account" "some_account" {
  federation_id = "<federation_ID>"
  name_id       = "<User_name_ID>"
}

    Where:

    • federation_id: ID of the federation to add the user to.
    • name_id: Name ID of the user.

    For more information about the yandex_organizationmanager_saml_federation_user_account resource parameters, see the provider documentation.

  2. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

    Terraform will create all the required resources. You can check the new resources using the management console or this CLI command:

    yc organization-manager federations saml \
  --organization-id <organization_ID> list-user-accounts \
  --id <federation_ID>

Use the addUserAccounts REST API method for the Federation resource or the FederationService/AddUserAccounts gRPC API call and provide the following in the request:

  • Federation ID in the federationId parameter.
  • List of user name IDs in the nameIds parameter.

What's next

Previous
Overview
Next
Getting user ID or email