Assigning a role to a user group
Assign a role to a user group to grant access to a resource. To grant group access permissions to a subject, see Subjects that roles are assigned to.
In Yandex Cloud Organization, you can assign a group a role for an organization, cloud, folder, another group, or service account.
Assigning a role for a cloud or folder
-
Log in
as the organization administrator or owner. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select
Access bindings . -
At the top right, click Assign bindings.
-
Go to the Groups tab and select the group you need or search by group name.
You can also assign a role to one of the system groups:
All users in organization X
: Includes all users in theX
organization.All users in federation N
: Includes all users in theN
organization.
-
Click Add role and select the role in the cloud or folder. You can assign multiple roles.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
Select a role from the Yandex Cloud role reference.
-
Assign the role using the command:
yc <service_name> <resource> add-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject group:<group_ID>
Where:
-
<service_name>
: Name of the service whose resource requires a role for access, e.g.,resource-manager
. -
<resource>
: Resource category, e.g.,cloud
. -
<resource_name_or_ID>
: Name or ID of the resource. You can specify the resource name or ID. -
--role
: Role ID, e.g.,resource-manager.clouds.owner
. -
--subject group
: ID of the group to which the role is assigned.To assign a role to one of the system groups, instead of using the
--subject
parameter, use the--organization-users <organization_ID>
or--federation-users <federation_ID>
parameter, providing in it the ID of the organization or identity federation, respectively, to the users of which you want to assign the role.You can also assign a role to a system group using the
--subject
parameter. To do this, provide in it the subject ID matching the selected system group.
For example, here is how you can assign the
resource-manager.viewer
role for themycloud
cloud:yc resource-manager cloud add-access-binding mycloud \ --role resource-manager.viewer \ --subject group:aje6o61dvog2********
-
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Add the resource parameters to the configuration file and specify the required role and group:
resource "yandex_resourcemanager_cloud_iam_member" "admin" { cloud_id = "<cloud_ID>" role = "<role_ID>" member = "group:<group_ID>" }
Where:
-
cloud_id
: Cloud ID. You can also assign a role within an individual folder. To do this, specifyfolder_id
instead ofcloud_id
and the required folder ID in the resource parameters. -
role
: Role being assigned. This is a required parameter. -
member
: Group the role is assigned to. It should be specified ingroup:<group_ ID>
format. This is a required parameter.To assign a role to one of the system groups, specify the following in the
member
parameter:system:group:organization:<organization_ID>:users
: To assign a role to theAll users in organization X
system group.system:group:federation:<federation_ID>:users
: To assign a role to theAll users in federation N
system group.
For more information about the
yandex_resourcemanager_cloud_iam_member
resource parameters, see the provider documentation . -
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:terraform plan
If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.
-
-
Deploy cloud resources.
-
If the configuration does not contain any errors, run this command:
terraform apply
-
Confirm creating the resources: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-
Use the updateAccessBindings
REST API method for the respective resource.
-
Select a role from the Yandex Cloud role reference.
-
Create the request body, for example, in the
body.json
file. Set theaction
property toADD
and specify thegroup
type and group ID in thesubject
property:body.json:
{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "<group_ID>", "type": "group" } } } ] }
-
Assign a role to a service account. For example, for a folder with the
b1gvmob95yys********
ID:export FOLDER_ID=b1gvmob95yys******** export IAM_TOKEN=CggaAT******** curl -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer ${IAM_TOKEN}" \ -d '@body.json' \ "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
To learn how to assign a role for the respective resource, see:
Assigning a role for an organization
-
Log in
as the organization administrator or owner. -
Go to Yandex Cloud Organization
. -
In the left-hand panel, select
Access bindings . -
At the top right, click Assign bindings.
-
Go to the Groups tab and select the group you need or search by group name.
You can also assign a role to one of the system groups:
All users in organization X
: Includes all users in theX
organization.All users in federation N
: Includes all users in theN
organization.
-
Click Add role and select the role in the organization. You can assign multiple roles.
-
Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
-
yc organization-manager organization add-access-binding \ --subject=group:<group_ID> \ --role=<role_ID> \ <organization_ID>
To assign a role to one of the system groups, instead of using the
--subject
parameter, use the--organization-users <organization_ID>
or--federation-users <federation_ID>
parameter, providing in it the ID of the organization or identity federation, respectively, to the users of which you want to assign the role.You can also assign a role to a system group using the
--subject
parameter. To do this, provide in it the subject ID matching the selected system group. -
Make sure the requested rights are granted:
yc organization-manager organization list-access-bindings <organization_ID>
A response contains a list of all roles assigned to users and groups in the organization:
+------------------------------------------+--------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +------------------------------------------+--------------+----------------------+ | organization-manager.admin | userAccount | ajev1p2345lj******** | | organization-manager.organizations.owner | userAccount | ajev1p2345lj******** | | editor | group | ajev1p2345lj******** | | viewer | group | ajev1p2345lj******** | +------------------------------------------+--------------+----------------------+
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Add the resource parameters to the configuration file and specify the required role and group:
resource "yandex_organizationmanager_organization_iam_member" "users-editors" { organization_id = "<cloud_ID>" role = "<role_ID>" member = "group:<group_ID>" }
Where:
-
organization_id
: Cloud ID. This is a required parameter. -
role
: Role being assigned. This is a required parameter. -
member
: Group the role is assigned to. It should be specified ingroup:<group_ ID>
format. This is a required parameter.To assign a role to one of the system groups, specify the following in the
member
parameter:system:group:organization:<organization_ID>:users
: To assign a role to theAll users in organization X
system group.system:group:federation:<federation_ID>:users
: To assign a role to theAll users in federation N
system group.
For more information about the
yandex_organizationmanager_organization_iam_member
resource parameters, see the provider documentation . -
-
Create resources:
-
In the terminal, change to the folder where you edited the configuration file.
-
Make sure the configuration file is correct using the command:
terraform validate
If the configuration is correct, the following message is returned:
Success! The configuration is valid.
-
Run the command:
terraform plan
The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply
-
Confirm the changes: type
yes
in the terminal and press Enter.
All the resources you need will then be created in the specified folder. You can check the new resource using the management console
or this CLI command:yc resource-manager folder list-access-bindings <folder_name_or_ID>
-