Assigning a role to a user
Organization administrators and owners can assign roles in Yandex Cloud Organization. You can assign to users not just organization management roles but also roles for access to your organization's connected cloud resources.
For information about roles available in Yandex Cloud and their associated permissions, see the Yandex Identity and Access Management documentation, Yandex Cloud role reference.
-
Log in as the organization administrator or owner.
-
Go to Yandex Cloud Organization.
-
In the left-hand panel, select Access bindings.
-
At the top right, click Assign bindings.
-
Select a user from the list or use the search bar.
-
Click Add role and enter the role name or select one from the list. You can choose more than one role.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Select the role you want to assign.
-
Assign the role using the command:
yc <service_name> <resource> add-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject <subject_type>:<subject_ID>Where:
<service_name>: Name of the service to whose resource the role is assigned, e.g.,organization-manager.<resource>: Resource category. For an organization,organizationis the category of importance.<resource_name_or_ID>: Name or ID of the resource. Refer to an organization by its technical name.--role: Role ID.--subject: Type and ID of the subject getting the role.
For example, assign to a user the administrator role for a directory with the
b1gmit33ngp3********ID:yc recource-manager folder add-access-binding b1gmit33ngp3******** \ --role resource-manager.admin \ --subject userAccount:aje6o61dvog2********
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Describe the properties of the roles to be assigned in the configuration file:
resource "yandex_organizationmanager_organization_iam_binding" "editor" { organization_id = "<organization_ID>" role = "<role_ID>" members = [ "federatedUser:<user_ID>", ] }Where:
-
organization_id: Organization ID. -
role: Role you want to assign. For each role, you can only use oneyandex_organization manager_organization_iam_binding. -
members: Array of the IDs of users to assign a role to:userAccount:<user_ID>: User's Yandex account ID.federatedUser:<user_ID>: Federated user ID.
For more information about resources you can create with Terraform, see the provider documentation.
-
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validateIf the configuration is correct, the following message is returned:
Success! The configuration is valid. -
Run the command:
terraform planThe terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply -
Confirm the changes: type
yesin the terminal and press Enter.
-
The specified user will then get roles in the organization. You can check the new role in the management console.
To assign a role, use the updateAccessBindings REST API method for the appropriate resource:
-
Select the role you want to assign.
-
Create the request body, e.g., in the
body.jsonfile. In theactionproperty, specifyADD, and in thesubjectproperty, specify theuserAccountorfederatedUsertype and the user ID:{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "<role_ID>", "subject": { "id": "gfei8n54hmfh********", "type": "userAccount" } } }] } -
Assign the role. For example, for an organization with the
bpf3crucp1v2********ID:export ORGANIZATION_ID=bpf3crucp1v2******** export IAM_TOKEN=<IAM-token> curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"
In a similar way, you can assign roles for an organization to a service account.