Contact UsGet started

Setting up cloud access permissions

Written by
Updated at April 22, 2025

To grant a user access to cloud resources, assign the user a role for the cloud.

Assigning a role for a cloud

  1. In the management console, select a cloud.
  2. Go to the Access bindings tab.
  3. Click Configure access.
  4. In the window that opens, select User accounts.
  5. Select a user from the list or search by user.
  6. Click Add role and select the role from the list or use the search bar.
  7. Click Save.

  1. View a description of the command to assign a role for a cloud:

    yc resource-manager cloud add-access-binding --help

  2. Get a list of available clouds:

    yc resource-manager cloud list

    Result:

    +----------------------+----------+
|          ID          |   NAME   |
+----------------------+----------+
| b1gg8sgd16g7******** | my-cloud |
+----------------------+----------+

  3. Get a list of available roles:

    yc iam role list

    Result:

    +--------------------------------+-------------+
|               ID               | DESCRIPTION |
+--------------------------------+-------------+
| admin                          |             |
| compute.images.user            |             |
| editor                         |             |
| ...                            |             |
+--------------------------------+-------------+

  4. Find out the user ID from the login or email address.

    yc iam user-account get test-user

    Result:

    id: gfei8n54hmfh********
yandex_passport_user_account:
    login: test-user
    default_email: test-user@yandex.ru

  5. Assign the editor role for my-cloud to test-user. In the subject, specify the userAccount type and user ID:

    yc resource-manager cloud add-access-binding my-cloud \
  --role editor \
  --subject userAccount:<user_ID>

To assign a role to a service account, user group, or system group instead of a user, see these examples.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

  1. Describe the cloud access permission parameters in the configuration file:

    • cloud_id: Cloud ID. You can get a list of available clouds using the CLI command: yc resource-manager cloud list.
    • role: Role to assign. You can get a list of roles using the CLI command: yc iam role list. In one yandex_resourcemanager_cloud_iam_member resource, only one role can be assigned.
    • member: User or group to assign the role to. Each yandex_resourcemanager_cloud_iam_member resource may have one of the following values:

    Here is an example of the configuration file structure:

    data "yandex_resourcemanager_cloud" "project1" {
  name = "Project 1"
}

resource "yandex_resourcemanager_cloud_iam_member" "editor" {
  cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
  role     = "editor"
  member   = "userAccount:<user_ID>"
}

    For more information about the yandex_resourcemanager_cloud_iam_member resource parameters in Terraform, see the provider documentation.

  2. In the command line, go to the folder where you created the configuration file.

  3. Make sure the configuration file is correct using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  4. Run this command:

    terraform plan

    The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  5. Apply the configuration changes:

    terraform apply

  6. Confirm the changes: type yes into the terminal and press Enter.

    This will assign access permissions for the cloud.

Use the updateAccessBindings REST API method for the Cloud resource or the CloudService/UpdateAccessBindings gRPC API call.

You will need the cloud ID and the ID of the user who is assigned the role for the cloud.

  1. Find out the cloud ID using the list REST API method:

    curl \
  --header "Authorization: Bearer <IAM_token>" \
  https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds

    Result:

    {
 "clouds": [
  {
   "id": "b1gg8sgd16g7********",
   "createdAt": "2018-09-23T12:14:45Z",
   "name": "cloud-b1gg8sgd16g7qc"
  }
 ]
}

  2. Find out the user ID by login using the getByLogin REST API method:

    curl \
  --header "Authorization: Bearer <IAM_token>" \
  https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user

    Result:

    {
 "id": "gfei8n54hmfh********",
 "yandexPassportUserAccount": {
  "login": "test-user",
  "defaultEmail": "test-user@yandex.ru"
 }
}

  3. Assign the editor role for my-cloud to the user. In the action property, enter ADD and specify the userAccount type and user ID under subject.

    curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindingDeltas": [{
      "action": "ADD",
      "accessBinding": {
          "roleId": "editor",
          "subject": {
              "id": "<user_ID>",
              "type": "userAccount"
  }}}]}' \
  https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings

Assigning multiple roles

  1. In the management console, select a cloud.
  2. Click the Access bindings tab.
  3. Click Assign bindings.
  4. In the Configure access bindings window, click Select user.
  5. Select a user from the list or search for a user.
  6. Click Add role.
  7. Select a role in the cloud.
  8. Use the Add role button to add another role.
  9. Click Save.

The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.

Alert

The set-access-binding method completely rewrites access permissions for the resource! All current roles for the resource will be deleted.

  1. Make sure the resource has no roles assigned that you would not want to lose:

    yc resource-manager cloud list-access-binding my-cloud

  2. For example, assign a role to multiple users:

    yc resource-manager cloud set-access-bindings my-cloud \
  --access-binding role=editor,subject=userAccount:<user_1_ID>
  --access-binding role=viewer,subject=userAccount:<user_2_ID>

To assign a role to a service account, user group, or system group instead of a user, see these examples.

  1. Describe the cloud access permission parameters in the configuration file. Assign the editor role to one user and the viewer role to another user:

    data "yandex_resourcemanager_cloud" "project1" {
  name = "Project 1"
}

resource "yandex_resourcemanager_cloud_iam_member" "editor" {
  cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
  role     = "editor"
  member   = "userAccount:<user_1_ID>"
}

resource "yandex_resourcemanager_cloud_iam_member" "viewer" {
  cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
  role     = "viewer"
  member   = "userAccount:<user_2_ID>"
}

  2. In the command line, go to the folder where you created the configuration file.

  3. Make sure the configuration file is correct using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  4. Run this command:

    terraform plan

    The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  5. Apply the configuration changes:

    terraform apply

  6. Confirm the changes: type yes into the terminal and press Enter.

    This will assign access permissions for the cloud.

Assign the editor role to one user and the viewer role to another user:

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindingDeltas": [{
      "action": "ADD",
      "accessBinding": {
          "roleId": "editor",
          "subject": {
              "id": "<user_1_ID>",
              "type": "userAccount"
          }
      }
  },{
      "action": "ADD",
      "accessBinding": {
          "roleId": "viewer",
          "subject": {
              "id": "<user_2_ID>",
              "type": "userAccount"
  }}}]}' \
  https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings

You can also assign roles using the setAccessBindings REST API method for the Cloud resource or the CloudService/SetAccessBindings gRPC API call.

Alert

The setAccessBindings method completely rewrites access permissions for the resource. All current roles for the resource will be deleted.

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindings": [{
      "roleId": "editor",
      "subject": { "id": "<user_1_ID>", "type": "userAccount" }
  },{
      "roleId": "viewer",
      "subject": { "id": "<user_2_ID>", "type": "userAccount" }
  }]}' \
  https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:setAccessBindings

Cloud access for service accounts

A service account can be assigned roles for any cloud and folder within the organization it belongs to.

Allow the test-sa service account to manage my-cloud and its resources:

You assign roles to a service account the same way as to a user account.

To assign a service account a role for a cloud:

  1. In the management console, on the left, select a cloud.
  2. Go to the Access bindings tab.
  3. Click Configure access.
  4. In the window that opens, select Service accounts.
  5. Select a service account from the list or use the search.
  6. Click Add role and select a role.
  7. Click Save.

  1. Find out the ID of the test-sa service account you want to assign the role to. To do this, get a list of available service accounts:

    yc iam service-account list

    Result:

    +----------------------+----------+------------------+
|          ID          |   NAME   |   DESCRIPTION    |
+----------------------+----------+------------------+
| ajebqtreob2d******** | test-sa  | test-description |
+----------------------+----------+------------------+

  2. Assign the editor role to the test-sa service account by specifying its ID. In the subject type, specify serviceAccount:

    yc resource-manager cloud add-access-binding my-cloud \
  --role editor \
  --subject serviceAccount:<service_account_ID>

  1. Assign the editor role to the service account:

    data "yandex_resourcemanager_cloud" "project1" {
  name = "Project 1"
}

resource "yandex_resourcemanager_cloud_iam_member" "editor" {
  cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}"
  role     = "editor"
  member   = "serviceAccount:<service_account_ID>"
}

  2. In the command line, go to the folder where you created the configuration file.

  3. Make sure the configuration file is correct using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  4. Run this command:

    terraform plan

    The terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  5. Apply the configuration changes:

    terraform apply

  6. Confirm the changes: type yes into the terminal and press Enter.

    This will assign access permissions for the cloud.

  1. Find out the ID of the test-sa service account you want to assign the role to. To do this, get a list of available service accounts:

    curl \
  --header "Authorization: Bearer <IAM_token>" \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yys********

    Result:

    {
 "serviceAccounts": [
  {
   "id": "ajebqtreob2d********",
   "folderId": "b1gvmob95yys********",
   "createdAt": "2018-10-18T13:42:40Z",
   "name": "test-sa",
   "description": "test-description"
  }
 ]
}

  2. Assign the editor role for my-cloud to the test-sa service account. In the subject property, specify the serviceAccount type and test-sa ID. In the request URL, specify the my-cloud ID as the resource:

    curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindingDeltas": [{
      "action": "ADD",
      "accessBinding": {
          "roleId": "editor",
          "subject": {
              "id": "<service_account_ID>",
              "type": "serviceAccount"
  }}}]}' \
  https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings

What's next

Previous
Canceling cloud deletion
Next
Getting a cloud ID