Assigning a role to a user group
Assign a role to a user group to grant access to a resource. To grant group access permissions to a subject, see Subjects that roles are assigned to.
In Yandex Cloud Organization, you can assign a group a role for an organization, cloud, folder, another group, or service account.
Assigning a role for a cloud or folder
-
Log in to the management console
with the cloud administrator or owner account. -
On the left side of the screen, click the line with the name of the cloud or folder for which you want to assign a role to a user group.
-
At the top of the screen, go to the Access bindings tab and click Configure access. In the window that opens:
-
Go to the Groups tab and select the group you need or search by group name.
You can also assign a role to one of the system groups:
All users in organization X
: The group includes all users in organizationX
.All users in federation N
: The group includes all users in federationN
.
-
Click
Add role and select the role you want to assign to the group for the cloud or folder you selected earlier. You can assign multiple roles. -
Click Save.
-
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Select a role from the Yandex Cloud role reference.
-
Assign the role using the command:
yc <service_name> <resource> add-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject group:<group_ID>
Where:
-
--role
: Role ID, e.g.,resource-manager.clouds.owner
. -
--subject group
: ID of the group the role is assigned to.To assign a role to one of the system groups, instead of
--subject
, use the--organization-users <organization_ID>
or--federation-users <federation_ID>
parameter. In the parameter, provide the ID of the organization or identity federation, respectively, to all the users you want to assign the role to.You can also assign a role to a system group using the
--subject
parameter. To do this, provide in it the subject ID matching the selected system group.
For example, assign the
resource-manager.viewer
role for themy-cloud
cloud:yc resource-manager cloud add-access-binding mycloud \ --role resource-manager.viewer \ --subject group:aje6o61dvog2********
-
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Add the resource parameters to the configuration file and specify the required role and group:
resource "yandex_resourcemanager_cloud_iam_member" "admin" { cloud_id = "<cloud_ID>" role = "<role_ID>" member = "group:<group_ID>" }
Where:
-
cloud_id
: Cloud ID. You can also assign a role within an individual folder. To do this, specifyfolder_id
instead ofcloud_id
and the required folder ID in the resource parameters. -
role
: Role you want to assign. This is a required parameter. -
member
: Group the role is assigned to. Use this format:group:<group_ID>
. This is a required parameter.To assign a role to one of the system groups, specify the following in the
member
parameter:system:group:organization:<organization_ID>:users
: To assign a role to theAll users in organization X
system group.system:group:federation:<federation_ID>:users
: To assign a role to theAll users in federation N
system group.
For more information about the
yandex_resourcemanager_cloud_iam_member
resource parameters, see the provider documentation . -
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-
Use the updateAccessBindings
REST API method for the appropriate resource.
-
Select a role from the Yandex Cloud role reference.
-
Create the request body, e.g., in the
body.json
file. In theaction
property, enterADD
, and specify thegroup
type and group ID undersubject
:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "<group_ID>", "type": "group" } } }] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl \ --request POST \ --header "Content-Type: application/json" \ --header "Authorization: Bearer ${IAM_TOKEN}" \ --data '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
To learn how to assign a role for the respective resource, see:
Assigning a role for an organization
-
Log in to Yandex Cloud Organization
using an administrator or organization owner account. -
In the left-hand panel, select
Access bindings. -
At the top right, click Assign bindings.
-
Go to the Groups tab and select the group you need or search by group name.
You can also assign a role to one of the system groups:
All users in organization X
: The group includes all users in organizationX
.All users in federation N
: The group includes all users in federationN
.
-
Click
Add role and select the role for the organization you want to assign to the group. You can assign multiple roles. -
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
yc organization-manager organization add-access-binding \ --subject group:<group_ID> \ --role <role_ID> \ --organization-users <organization_ID> \ --federation-users <federation_ID>
To assign a role to one of the system groups, instead of the
--subject
parameter, use--organization-users <organization_ID>
or--federation-users <federation_ID>
. In the parameter, provide the ID of the organization or identity federation, respectively, to all the users you want to assign the role to.You can also assign a role to a system group using the
--subject
parameter. To do this, provide in it the subject ID matching the selected system group. -
Make sure the requested permissions are granted:
yc organization-manager organization list-access-bindings <organization_ID>
A response contains a list of all roles assigned to users and groups in the organization:
+------------------------------------------+--------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +------------------------------------------+--------------+----------------------+ | organization-manager.admin | userAccount | ajev1p2345lj******** | | organization-manager.organizations.owner | userAccount | ajev1p2345lj******** | | editor | group | ajev1p2345lj******** | | viewer | group | ajev1p2345lj******** | +------------------------------------------+--------------+----------------------+
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Add the resource parameters to the configuration file and specify the required role and group:
resource "yandex_organizationmanager_organization_iam_member" "users-editors" { organization_id = "<cloud_ID>" role = "<role_ID>" member = "group:<group_ID>" }
Where:
-
organization_id
: Cloud ID. This is a required parameter. -
role
: Role you want to assign. This is a required parameter. -
member
: Group the role is assigned to. Use this format:group:<group_ID>
. This is a required parameter.To assign a role to one of the system groups, specify the following in the
member
parameter:system:group:organization:<organization_ID>:users
: To assign a role to theAll users in organization X
system group.system:group:federation:<federation_ID>:users
: To assign a role to theAll users in federation N
system group.
For more information about the
yandex_organizationmanager_organization_iam_member
resource parameters, see the provider documentation . -
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-