Setting up cloud access permissions
To grant a user access to cloud resources, assign the user a role for the cloud.
Assigning a role for a cloud
- In the management console, select a cloud.
- Go to the Access bindings tab.
- Click Configure access.
- In the window that opens, select User accounts.
- Select a user from the list or search by user.
- Click Add role and select the role from the list or use the search bar.
- Click Save.
-
View a description of the command to assign a role for a cloud:
yc resource-manager cloud add-access-binding --help -
Get a list of available clouds:
yc resource-manager cloud listResult:
+----------------------+----------+ | ID | NAME | +----------------------+----------+ | b1gg8sgd16g7******** | my-cloud | +----------------------+----------+ -
Get a list of available roles:
yc iam role listResult:
+--------------------------------+-------------+ | ID | DESCRIPTION | +--------------------------------+-------------+ | admin | | | compute.images.user | | | editor | | | ... | | +--------------------------------+-------------+ -
Find out the user ID from the login or email address.
yc iam user-account get test-userResult:
id: gfei8n54hmfh******** yandex_passport_user_account: login: test-user default_email: test-user@yandex.ru -
Assign the
editorrole for themy-cloudcloud totest-user. In the subject, specify theuserAccounttype and user ID:yc resource-manager cloud add-access-binding my-cloud \ --role editor \ --subject userAccount:<user_ID>
To assign a role to a service account, user group, or system group instead of a user, see these examples.
If you don't have Terraform, install it and configure the Yandex Cloud provider.
-
Describe the cloud access permission parameters in the configuration file:
cloud_id: Cloud ID. You can get a list of available clouds using the CLI command:yc resource-manager cloud list.role: Role to assign. You can get a list of roles using the CLI command:yc iam role list. In oneyandex_resourcemanager_cloud_iam_memberresource, only one role can be assigned.member: User or group to assign the role to. Eachyandex_resourcemanager_cloud_iam_memberresource may have one of the following values:userAccount:<user_ID>: User ID.serviceAccount:<service_account_ID>: Service account ID.federatedUser:<federated_account_ID>: Federated account ID.system:group:organization:<organization_ID>:users: ID of the organization to assign a role to theAll users in organization Xsystem group.system:group:federation:<federation_ID>:users: ID of the identity federation to assign a role to theAll users in federation Nsystem group.
Here is an example of the configuration file structure:
data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_member" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" member = "userAccount:<user_ID>" }For more information about the
yandex_resourcemanager_cloud_iam_memberresource parameters in Terraform, see the provider documentation. -
In the command line, go to the folder where you created the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planThe terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply -
Confirm the changes: type
yesinto the terminal and press Enter.This will assign access permissions for the cloud.
Use the updateAccessBindings REST API method for the Cloud resource or the CloudService/UpdateAccessBindings gRPC API call.
You will need the cloud ID and the ID of the user who is assigned the role for the cloud.
-
Find out the cloud ID using the list REST API method:
curl \ --header "Authorization: Bearer <IAM_token>" \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/cloudsResult:
{ "clouds": [ { "id": "b1gg8sgd16g7********", "createdAt": "2018-09-23T12:14:45Z", "name": "cloud-b1gg8sgd16g7qc" } ] } -
Find out the user ID by login using the getByLogin REST API method:
curl \ --header "Authorization: Bearer <IAM_token>" \ https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-userResult:
{ "id": "gfei8n54hmfh********", "yandexPassportUserAccount": { "login": "test-user", "defaultEmail": "test-user@yandex.ru" } } -
Assign the
editorrole for themy-cloudcloud to the user. In theactionproperty, enterADDand specify theuserAccountuser type and ID undersubject.curl \ --request POST \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer <IAM_token>" \ --data '{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "<user_ID>", "type": "userAccount" }}}]}' \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings
Assigning multiple roles
- In the management console, select a cloud.
- Click the Access bindings tab.
- Click Assign bindings.
- In the Configure access bindings window, click Select user.
- Select a user from the list or search for a user.
- Click Add role.
- Select a role in the cloud.
- Use the Add role button to add another role.
- Click Save.
The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.
Alert
The set-access-binding method completely rewrites access permissions for the resource! All current resource roles will be deleted.
-
Make sure the resource has no roles assigned that you would not want to lose:
yc resource-manager cloud list-access-binding my-cloud -
For example, assign a role to multiple users:
yc resource-manager cloud set-access-bindings my-cloud \ --access-binding role=editor,subject=userAccount:<first_user_ID> --access-binding role=viewer,subject=userAccount:<second_user_ID>
To assign a role to a service account, user group, or system group instead of a user, see these examples.
-
Describe the cloud access permission parameters in the configuration file. Assign the
editorrole to one user and theviewerrole to another:data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_member" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" member = "userAccount:<first_user_ID>" } resource "yandex_resourcemanager_cloud_iam_member" "viewer" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "viewer" member = "userAccount:<second_user_ID>" } -
In the command line, go to the folder where you created the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planThe terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply -
Confirm the changes: type
yesinto the terminal and press Enter.This will assign access permissions for the cloud.
Assign the editor role to one user and the viewer role to another:
curl \
--request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{
"accessBindingDeltas": [{
"action": "ADD",
"accessBinding": {
"roleId": "editor",
"subject": {
"id": "<first_user_ID>",
"type": "userAccount"
}
}
},{
"action": "ADD",
"accessBinding": {
"roleId": "viewer",
"subject": {
"id": "<second_user_ID>",
"type": "userAccount"
}}}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings
You can also assign roles using the setAccessBindings REST API method for the Cloud resource or the CloudService/SetAccessBindings gRPC API call.
Alert
The setAccessBindings method completely rewrites access permissions for the resource. All current resource roles will be deleted.
curl \
--request POST \
--header 'Content-Type: application/json' \
--header "Authorization: Bearer <IAM_token>" \
--data '{
"accessBindings": [{
"roleId": "editor",
"subject": { "id": "<first_user_ID>", "type": "userAccount" }
},{
"roleId": "viewer",
"subject": { "id": "<second_user_ID>", "type": "userAccount" }
}]}' \
https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:setAccessBindings
Cloud access for service accounts
A service account can be assigned roles for any cloud and folder within the organization it belongs to.
Allow the test-sa service account to manage my-cloud and its resources:
You assign roles to a service account the same way as to a user account.
To assign a service account a role for a cloud:
- In the management console, on the left, select a cloud.
- Go to the Access bindings tab.
- Click Configure access.
- In the window that opens, select Service accounts.
- Select a service account from the list or use the search.
- Click Add role and select a role.
- Click Save.
-
Find out the ID of the
test-saservice account you want to assign the role to. To do this, get a list of available service accounts:yc iam service-account listResult:
+----------------------+----------+------------------+ | ID | NAME | DESCRIPTION | +----------------------+----------+------------------+ | ajebqtreob2d******** | test-sa | test-description | +----------------------+----------+------------------+ -
Assign the
editorrole to thetest-saservice account by specifying its ID. In the subject type, specifyserviceAccount:yc resource-manager cloud add-access-binding my-cloud \ --role editor \ --subject serviceAccount:<service_account_ID>
-
Assign the
editorrole to the service account:data "yandex_resourcemanager_cloud" "project1" { name = "Project 1" } resource "yandex_resourcemanager_cloud_iam_member" "editor" { cloud_id = "${data.yandex_resourcemanager_cloud.project1.id}" role = "editor" member = "serviceAccount:<service_account_ID>" } -
In the command line, go to the folder where you created the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validateIf the configuration is correct, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planThe terminal displays a list of resources to be created and their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.
-
Apply the configuration changes:
terraform apply -
Confirm the changes: type
yesinto the terminal and press Enter.This will assign access permissions for the cloud.
-
Find out the ID of the
test-saservice account you want to assign the role to. To do this, get a list of available service accounts:curl \ --header "Authorization: Bearer <IAM_token>" \ https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yys********Result:
{ "serviceAccounts": [ { "id": "ajebqtreob2d********", "folderId": "b1gvmob95yys********", "createdAt": "2018-10-18T13:42:40Z", "name": "test-sa", "description": "test-description" } ] } -
Assign the
editorrole formy-cloudto thetest-saservice account. In thesubjectproperty, specify theserviceAccounttype andtest-saID. In the request URL, specify themy-cloudID as the resource:curl \ --request POST \ --header 'Content-Type: application/json' \ --header "Authorization: Bearer <IAM_token>" \ --data '{ "accessBindingDeltas": [{ "action": "ADD", "accessBinding": { "roleId": "editor", "subject": { "id": "<service_account_ID>", "type": "serviceAccount" }}}]}' \ https://resource-manager.api.cloud.yandex.net/resource-manager/v1/clouds/b1gg8sgd16g7********:updateAccessBindings