Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Resource Manager
  • Getting started
    • All guides
    • Managing labels
      • Creating a cloud
      • Renaming a cloud
      • Deleting a cloud
      • Canceling cloud deletion
      • Setting up access rights
      • Getting a cloud ID
      • Switch clouds
      • Changing an organization for a cloud
      • Getting notifications from services in a cloud
    • Viewing service resource operations
  • Access management
  • Pricing policy
  • Terraform reference
  • Audit Trails events
  • Release notes
  • FAQ

In this article:

  • Assigning a role for a cloud
  • Assigning multiple roles
  • Cloud access for service accounts
  • What's next
  1. Step-by-step guides
  2. Cloud
  3. Setting up access rights

Setting up cloud access permissions

Written by
Yandex Cloud
Updated at April 22, 2025
  • Assigning a role for a cloud
  • Assigning multiple roles
  • Cloud access for service accounts
  • What's next

To grant a user access to cloud resources, assign the user a role for the cloud.

Assigning a role for a cloudAssigning a role for a cloud

Management console
CLI
Terraform
API
  1. In the management console, select a cloud.
  2. Go to the Access bindings tab.
  3. Click Configure access.
  4. In the window that opens, select User accounts.
  5. Select a user from the list or search by user.
  6. Click Add role and select the role from the list or use the search bar.
  7. Click Save.
  1. View a description of the command to assign a role for a cloud:

    yc resource-manager cloud add-access-binding --help
    
  2. Get a list of available clouds:

    yc resource-manager cloud list
    

    Result:

    +----------------------+----------+
    |          ID          |   NAME   |
    +----------------------+----------+
    | b1gg8sgd16g7******** | my-cloud |
    +----------------------+----------+
    
  3. Get a list of available roles:

    yc iam role list
    

    Result:

    +--------------------------------+-------------+
    |               ID               | DESCRIPTION |
    +--------------------------------+-------------+
    | admin                          |             |
    | compute.images.user            |             |
    | editor                         |             |
    | ...                            |             |
    +--------------------------------+-------------+
    
  4. Find out the user ID from the login or email address.

    yc iam user-account get test-user
    

    Result:

    id: gfei8n54hmfh********
    yandex_passport_user_account:
        login: test-user
        default_email: test-user@yandex.ru
    
  5. Assign the editor role for my-cloud to test-user. In the subject, specify the userAccount type and user ID:

    yc resource-manager cloud add-access-binding my-cloud \
      --role editor \
      --subject userAccount:<user_ID>
    

To assign a role to a service account, user group, or system group instead of a user, see these examples.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Describe the cloud access permission parameters in the configuration file:

    • cloud_id: Cloud ID. You can get a list of available clouds using the CLI command: yc resource-manager cloud list.
    • role: Role to assign. You can get a list of roles using the CLI command: yc iam role list. In one yandex_resourcemanager_cloud_iam_member resource, only one role can be assigned.
    • member: User or group to assign the role to. Each yandex_resourcemanager_cloud_iam_member resource may have one of the following values:
      • userAccount:<user_ID>: User ID.
      • serviceAccount:<service_account_ID>: Service account ID.
      • federatedUser:<federated_account_ID>: Federated account ID.
      • system:group:organization:<organization_ID>:users: Organization ID to assign a role to the All users in organization X system group.
      • system:group:federation:<federation_ID>:users: Identity federation ID to assign a role to the All users in federation N system group.

    Here is an example of the configuration file structure:

    data "yandex_resourcemanager_cloud" "project1" {
      name = "Project 1"
    }
    
    resource "yandex_resourcemanager_cloud_iam_member" "editor" {
      cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
      role     = "editor"
      member   = "userAccount:<user_ID>"
    }
    

    For more information about the yandex_resourcemanager_cloud_iam_member resource parameters in Terraform, see the provider documentation.

  2. In the command line, go to the folder where you created the configuration file.

  3. Make sure the configuration file is correct using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  4. Run this command:

    terraform plan
    

    The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  5. Apply the configuration changes:

    terraform apply
    
  6. Confirm the changes: type yes into the terminal and press Enter.

    This will assign access permissions for the cloud.

Use the updateAccessBindings REST API method for the Cloud resource or the CloudService/UpdateAccessBindings gRPC API call.

You will need the cloud ID and the ID of the user who is assigned the role for the cloud.

  1. Find out the cloud ID using the list REST API method:

    curl \
      --header "Authorization: Bearer <IAM_token>" \
      https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds
    

    Result:

    {
     "clouds": [
      {
       "id": "b1gg8sgd16g7********",
       "createdAt": "2018-09-23T12:14:45Z",
       "name": "cloud-b1gg8sgd16g7qc"
      }
     ]
    }
    
  2. Find out the user ID by login using the getByLogin REST API method:

    curl \
      --header "Authorization: Bearer <IAM_token>" \
      https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user
    

    Result:

    {
     "id": "gfei8n54hmfh********",
     "yandexPassportUserAccount": {
      "login": "test-user",
      "defaultEmail": "test-user@yandex.ru"
     }
    }
    
  3. Assign the editor role for my-cloud to the user. In the action property, enter ADD and specify the userAccount type and user ID under subject.

    curl \
      --request POST \
      --header 'Content-Type: application/json' \
      --header "Authorization: Bearer <IAM_token>" \
      --data '{
      "accessBindingDeltas": [{
          "action": "ADD",
          "accessBinding": {
              "roleId": "editor",
              "subject": {
                  "id": "<user_ID>",
                  "type": "userAccount"
      }}}]}' \
      https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings
    

Assigning multiple rolesAssigning multiple roles

Management console
CLI
Terraform
API
  1. In the management console, select a cloud.
  2. Click the Access bindings tab.
  3. Click Assign bindings.
  4. In the Configure access bindings window, click Select user.
  5. Select a user from the list or search for a user.
  6. Click Add role.
  7. Select a role in the cloud.
  8. Use the Add role button to add another role.
  9. Click Save.

The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.

Alert

The set-access-binding method completely rewrites access permissions for the resource! All current roles for the resource will be deleted.

  1. Make sure the resource has no roles assigned that you would not want to lose:

    yc resource-manager cloud list-access-binding my-cloud
    
  2. For example, assign a role to multiple users:

    yc resource-manager cloud set-access-bindings my-cloud \
      --access-binding role=editor,subject=userAccount:<user_1_ID>
      --access-binding role=viewer,subject=userAccount:<user_2_ID>
    

To assign a role to a service account, user group, or system group instead of a user, see these examples.

  1. Describe the cloud access permission parameters in the configuration file. Assign the editor role to one user and the viewer role to another user:

    data "yandex_resourcemanager_cloud" "project1" {
      name = "Project 1"
    }
    
    resource "yandex_resourcemanager_cloud_iam_member" "editor" {
      cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
      role     = "editor"
      member   = "userAccount:<user_1_ID>"
    }
    
    resource "yandex_resourcemanager_cloud_iam_member" "viewer" {
      cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
      role     = "viewer"
      member   = "userAccount:<user_2_ID>"
    }
    
  2. In the command line, go to the folder where you created the configuration file.

  3. Make sure the configuration file is correct using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  4. Run this command:

    terraform plan
    

    The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  5. Apply the configuration changes:

    terraform apply
    
  6. Confirm the changes: type yes into the terminal and press Enter.

    This will assign access permissions for the cloud.

Assign the editor role to one user and the viewer role to another user:

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindingDeltas": [{
      "action": "ADD",
      "accessBinding": {
          "roleId": "editor",
          "subject": {
              "id": "<user_1_ID>",
              "type": "userAccount"
          }
      }
  },{
      "action": "ADD",
      "accessBinding": {
          "roleId": "viewer",
          "subject": {
              "id": "<user_2_ID>",
              "type": "userAccount"
  }}}]}' \
  https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings

You can also assign roles using the setAccessBindings REST API method for the Cloud resource or the CloudService/SetAccessBindings gRPC API call.

Alert

The setAccessBindings method completely rewrites access permissions for the resource. All current roles for the resource will be deleted.

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindings": [{
      "roleId": "editor",
      "subject": { "id": "<user_1_ID>", "type": "userAccount" }
  },{
      "roleId": "viewer",
      "subject": { "id": "<user_2_ID>", "type": "userAccount" }
  }]}' \
  https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:setAccessBindings

Cloud access for service accountsCloud access for service accounts

A service account can be assigned roles for any cloud and folder within the organization it belongs to.

Allow the test-sa service account to manage my-cloud and its resources:

Management console
CLI
Terraform
API

You assign roles to a service account the same way as to a user account.

To assign a service account a role for a cloud:

  1. In the management console, on the left, select a cloud.
  2. Go to the Access bindings tab.
  3. Click Configure access.
  4. In the window that opens, select Service accounts.
  5. Select a service account from the list or use the search.
  6. Click Add role and select a role.
  7. Click Save.
  1. Find out the ID of the test-sa service account you want to assign the role to. To do this, get a list of available service accounts:

    yc iam service-account list
    

    Result:

    +----------------------+----------+------------------+
    |          ID          |   NAME   |   DESCRIPTION    |
    +----------------------+----------+------------------+
    | ajebqtreob2d******** | test-sa  | test-description |
    +----------------------+----------+------------------+
    
  2. Assign the editor role to the test-sa service account by specifying its ID. In the subject type, specify serviceAccount:

    yc resource-manager cloud add-access-binding my-cloud \
      --role editor \
      --subject serviceAccount:<service_account_ID>
    
  1. Assign the editor role to the service account:

    data "yandex_resourcemanager_cloud" "project1" {
      name = "Project 1"
    }
    
    resource "yandex_resourcemanager_cloud_iam_member" "editor" {
      cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
      role     = "editor"
      member   = "serviceAccount:<service_account_ID>"
    }
    
  2. In the command line, go to the folder where you created the configuration file.

  3. Make sure the configuration file is correct using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  4. Run this command:

    terraform plan
    

    The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  5. Apply the configuration changes:

    terraform apply
    
  6. Confirm the changes: type yes into the terminal and press Enter.

    This will assign access permissions for the cloud.

  1. Find out the ID of the test-sa service account you want to assign the role to. To do this, get a list of available service accounts:

    curl \
      --header "Authorization: Bearer <IAM_token>" \
      https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yys********
    

    Result:

    {
     "serviceAccounts": [
      {
       "id": "ajebqtreob2d********",
       "folderId": "b1gvmob95yys********",
       "createdAt": "2018-10-18T13:42:40Z",
       "name": "test-sa",
       "description": "test-description"
      }
     ]
    }
    
  2. Assign the editor role for my-cloud to the test-sa service account. In the subject property, specify the serviceAccount type and test-sa ID. In the request URL, specify the my-cloud ID as the resource:

    curl \
      --request POST \
      --header 'Content-Type: application/json' \
      --header "Authorization: Bearer <IAM_token>" \
      --data '{
      "accessBindingDeltas": [{
          "action": "ADD",
          "accessBinding": {
              "roleId": "editor",
              "subject": {
                  "id": "<service_account_ID>",
                  "type": "serviceAccount"
      }}}]}' \
      https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings
    

What's nextWhat's next

  • Creating a folder
  • Setting up folder access permissions
  • Yandex Cloud resource hierarchy

Was the article helpful?

Previous
Canceling cloud deletion
Next
Getting a cloud ID
Yandex project
© 2025 Yandex.Cloud LLC