Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Resource Manager
  • Getting started
    • All guides
    • Managing labels
      • Creating a folder
      • Updating a folder
      • Deleting a folder
      • Setting up access rights
      • Getting the folder ID
      • Getting notifications from services in a folder
    • Viewing service resource operations
  • Access management
  • Pricing policy
  • Terraform reference
  • Audit Trails events
  • Release notes
  • FAQ

In this article:

  • Assigning a role for a folder
  • Assigning multiple roles
  • Folder access for a service account
  • Folder access for a federated user
  • What's next
  1. Step-by-step guides
  2. Folder
  3. Setting up access rights

Setting up folder access permissions

Written by
Yandex Cloud
Updated at April 22, 2025
  • Assigning a role for a folder
  • Assigning multiple roles
  • Folder access for a service account
  • Folder access for a federated user
  • What's next

To grant a user access to folder resources, assign the user a role for the folder.

Note

To enable a user to access the management console, assign them a role for the cloud or organization. For added security, you can assign one of the least priveleged roles, such as resource-manager.clouds.member. However, you may also assign other roles if you know which permissions you want to grant to the invited users.

To grant these permissions to all the organization users at once, assign the role to the All users in organization X system group. When using the CLI or API, no additional roles are required.

Assigning a role for a folderAssigning a role for a folder

Management console
CLI
Terraform
API
  1. In the management console, go to the relevant folder.
  2. Go to the Access bindings tab.
  3. Click Configure access.
  4. In the window that opens, select User accounts.
  5. Select a user from the list or search by user.
  6. Click Add role and select the role from the list or use the search bar.
  7. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. View the description of the command to assign a role for a folder:

    yc resource-manager folder add-access-binding --help
    
  2. Select a folder, e.g., my-folder:

    yc resource-manager folder list
    

    Result:

    +----------------------+-----------+--------+--------+
    |          ID          |   NAME    | LABELS | STATUS |
    +----------------------+-----------+--------+--------+
    | b1gd129pp9ha******** | my-folder |        | ACTIVE |
    +----------------------+-----------+--------+--------+
    
  3. Choose the role.

    yc iam role list
    

    Result:

    +--------------------------------+-------------+
    |               ID               | DESCRIPTION |
    +--------------------------------+-------------+
    | admin                          |             |
    | compute.images.user            |             |
    | editor                         |             |
    | ...                            |             |
    +--------------------------------+-------------+
    
  4. Find out the user ID from the login or email address.

    yc iam user-account get test-user
    

    Result:

    id: gfei8n54hmfh********
    yandex_passport_user_account:
      login: test-user
      default_email: test-user@yandex.ru
    
  5. Assign the editor role to test-user for my-folder. In the subject, specify the userAccount type and user ID:

    yc resource-manager folder add-access-binding my-folder \
      --role editor \
      --subject userAccount:gfei8n54hmfh********
    

To assign a role to a service account, user group, or system group instead of a user, see these examples.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

Alert

Do not create the resource along with yandex_resourcemanager_folder_iam_policy, since this may cause conflicts.

To assign a role to a folder created using Terraform:

  1. Describe the parameters of the folder role in a configuration file:

    • folder_id: ID of the folder to grant permissions for. This is a required parameter.

    • role: Role to assign. This is a required parameter.

      Note

      For each role, you can only use one yandex_resourcemanager_folder_iam_member resource.

    • member: User to assign the role to. This is a required parameter. It may have one of the following values:

      • userAccount:<user_ID>: User ID.
      • serviceAccount:<service_account_ID>: Service account ID.
      • federatedUser:<user_account_ID>: User account ID.
      • system:group:organization:<organization_ID>:users: Organization ID to assign a role to the All users in organization X system group.
      • system:group:federation:<federation_ID>:users: Identity federation ID to assign a role to the All users in federation N system group.
    Example of assigning roles to a folder using Terraform
    ...
    data "yandex_resourcemanager_folder" "project1" {
      folder_id = "<folder_ID>"
    }
    
    resource "yandex_resourcemanager_folder_iam_member" "editor" {
      folder_id = "${data.yandex_resourcemanager_folder_iam_member.project1.id}"
      role      = "editor"
      member    = "userAccount:<login@yandex.ru>"
    }
    ...
    

    For more information about the yandex_resourcemanager_folder_iam_member resource parameters in Terraform, see the relevant provider documentation.

  2. Check the configuration using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  3. Run this command:

    terraform plan
    

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply
    
  5. Confirm the changes: type yes into the terminal and press Enter.

    You can check the folder update using the management console or this CLI command:

    yc resource-manager folder list-access-bindings <folder_name_or_ID>
    

Use the updateAccessBindings REST API method for the Folder resource or the FolderService/UpdateAccessBindings gRPC API call. You will need the folder ID and the ID of the user to whom you want to assign the role for the folder.

  1. Find out the folder ID using the list REST API method:

    curl \
      --header "Authorization: Bearer <IAM_token>" \
      https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders?cloudId=b1gg8sgd16g7********
    

    Result:

    {
     "folders": [
      {
       "id": "b1g66mft1vop********",
       "cloudId": "b1gd129pp9ha********",
       "createdAt": "2018-10-17T12:44:31Z",
       "name": "my-folder",
       "status": "ACTIVE"
      }
     ]
    }
    
  2. Find out the user ID from the login using the getByLogin REST API method:

    curl \
      --header "Authorization: Bearer <IAM_token>" \
      https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user
    

    Result:

    {
     "id": "gfei8n54hmfh********",
     "yandexPassportUserAccount": {
      "login": "test-user",
      "defaultEmail": "test-user@yandex.ru"
     }
    }
    
  3. Assign the editor role to the user for my-folder. Set the action property to ADD and specify the userAccount type and user ID in the subject property:

    curl \
      --request POST \
      --header 'Content-Type: application/json' \
      --header "Authorization: Bearer <IAM_token>" \
      --data '{
      "accessBindingDeltas": [{
          "action": "ADD",
          "accessBinding": {
              "roleId": "editor",
              "subject": {
                  "id": "gfei8n54hmfh********",
                  "type": "userAccount"
      }}}]}' \
      https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha********:updateAccessBindings
    

Assigning multiple rolesAssigning multiple roles

Management console
CLI
Terraform
API
  1. In the management console, go to the relevant folder.
  2. Go to the Access bindings tab.
  3. Click Configure access.
  4. In the window that opens, select User accounts.
  5. Select a user from the list or search by user.
  6. Click Add role and select the role from the list or use the search bar.
  7. Repeat this step as many times as you need to add all the required roles.
  8. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.

Alert

The set-access-binding method completely rewrites access permissions for the resource! All current roles for the resource will be deleted.

  1. Make sure the resource has no roles assigned that you would not want to lose:

    yc resource-manager folder list-access-bindings my-folder
    
  2. For example, assign a role to multiple users:

    yc resource-manager folder set-access-bindings my-folder \
      --access-binding role=editor,subject=userAccount:gfei8n54hmfh********
      --access-binding role=viewer,subject=userAccount:helj89sfj80a********
    

To assign a role to a service account, user group, or system group instead of a user, see these examples.

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

Alert

Do not create the resource along with yandex_resourcemanager_folder_iam_policy, since this may cause conflicts.

To assign several roles to a folder created with Terraform:

  1. Describe the parameters of the folder role in a configuration file:

    • folder_id: ID of the folder to grant permissions for. This is a required parameter.

    • role: Role to assign. This is a required parameter.

      Note

      For each role, you can only use one yandex_resourcemanager_folder_iam_member resource.

    • member: User to assign the role to. To add a user to the list, create an entry in this format: userAccount:<user_ID>, where <user_ID> is the email address of a Yandex account, e.g., ivan@yandex.ru. This is a required parameter.

    Example of assigning roles to a folder using Terraform
    ...
    data "yandex_resourcemanager_folder" "project1" {
      folder_id = "<folder_ID>"
    }
    
    resource "yandex_resourcemanager_folder_iam_member" "editor" {
      folder_id = "${data.yandex_resourcemanager_folder.project1.id}"
      role      = "editor"
      member    = "userAccount:<login1@yandex.ru>"
    }
    resource "yandex_resourcemanager_folder_iam_member" "operator" {
      folder_id = "${data.yandex_resourcemanager_folder.project1.id}"
      role      = "operator"
      member    = "userAccount:<login1@yandex.ru>"
    }
    ...
    

    For more information about the yandex_resourcemanager_folder_iam_member resource parameters in Terraform, see the relevant provider documentation.

  2. Check the configuration using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  3. Run this command:

    terraform plan
    

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply
    
  5. Confirm the changes: type yes into the terminal and press Enter.

    You can check the folder update using the management console or this CLI command:

    yc resource-manager folder list-access-bindings <folder_name_or_ID>
    

Assign the editor role to one user and the viewer role to another user:

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindingDeltas": [{
      "action": "ADD",
      "accessBinding": {
          "roleId": "editor",
          "subject": {
              "id": "gfei8n54hmfh********",
              "type": "userAccount"
          }
      }
  },{
      "action": "ADD",
      "accessBinding": {
          "roleId": "viewer",
          "subject": {
              "id": "helj89sfj80a********",
              "type": "userAccount"
  }}}]}' \
  https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha********:updateAccessBindings

You can also assign roles using the setAccessBindings REST API method for the Folder resource or the FolderService/SetAccessBindings gRPC API call.

Alert

The setAccessBindings method completely rewrites access permissions for the resource. All current roles for the resource will be deleted.

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindings": [{
      "roleId": "editor",
      "subject": { "id": "ajei8n54hmfh********", "type": "userAccount" }
  },{
      "roleId": "viewer",
      "subject": { "id": "helj89sfj80a********", "type": "userAccount" }
  }]}' \
  https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/b1gd129pp9ha********:setAccessBindings

Folder access for a service accountFolder access for a service account

Management console
CLI
Terraform
API
  1. In the management console, select the appropriate folder.
  2. Go to the Access bindings tab.
  3. Click Configure access.
  4. In the window that opens, select Service accounts.
  5. Select a service account from the list or use the search.
  6. Click Add role and select the role in the folder.
  7. Click Save.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.

  2. Find out the service account ID by its name:

    yc iam service-account get my-robot
    

    Result:

    id: aje6o61dvog2********
    folder_id: b1gvmob95yys********
    created_at: "2018-10-15T18:01:25Z"
    name: my-robot
    

    If you don't know the name of the service account, get a list of service accounts with their IDs:

    yc iam service-account list
    

    Result:

    +----------------------+------------------+-----------------+
    |          ID          |       NAME       |   DESCRIPTION   |
    +----------------------+------------------+-----------------+
    | aje6o61dvog2******** | my-robot         | my description  |
    +----------------------+------------------+-----------------+
    
  3. Assign the viewer role to the my-robot service account using its ID:

    yc resource-manager folder add-access-binding my-folder \
      --role viewer \
      --subject serviceAccount:aje6o61dvog2********
    

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

Alert

Do not create the resource along with yandex_resourcemanager_folder_iam_policy, since this may cause conflicts.

To assign a service account a role for a folder created with Terraform:

  1. Describe the parameters of the folder role in a configuration file:

    • folder_id: ID of the folder to grant permissions for. This is a required parameter.

    • role: Role to assign. This is a required parameter.

      Note

      For each role, you can only use one yandex_resourcemanager_folder_iam_member resource.

    • member: User to assign the role to. To add a user to the list, create a record in this format: serviceAccount:<service_account_ID>, where <service_account_ID> is the service account ID. You can list several service accounts. This is a required parameter.

    Example of assigning roles to a folder using Terraform
    ...
    data "yandex_resourcemanager_folder" "project1" {
      folder_id = "<folder_ID>"
    }
    
    resource "yandex_resourcemanager_folder_iam_member" "editor" {
      folder_id = "${data.yandex_resourcemanager_folder.project1.id}"
      role      = "editor"
      member   = "serviceAccount:<service_account_ID>"
    }
    ...
    

    For more information about the yandex_resourcemanager_folder_iam_member resource parameters in Terraform, see the relevant provider documentation.

  2. Check the configuration using this command:

    terraform validate
    

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.
    
  3. Run this command:

    terraform plan
    

    The terminal will display a list of resources with their parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply
    
  5. Confirm the changes: type yes into the terminal and press Enter.

    You can check the folder update using the management console or this CLI command:

    yc resource-manager folder list-access-bindings <folder_name_or_ID>
    

To assign the service account a role for a cloud or folder, use the updateAccessBindings REST API method for the Cloud or Folder resource:

  1. Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.

  2. Get the ID of the service accounts folder.

  3. Get an IAM token required for authorization in the Yandex Cloud API.

  4. Get a list of folder service accounts to find out their IDs:

    export FOLDER_ID=b1gvmob95yys********
    export IAM_TOKEN=CggaATEVAgA...
    curl \
      --header "Authorization: Bearer ${IAM_TOKEN}" \
      "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
    

    Result:

    {
     "serviceAccounts": [
      {
       "id": "ajebqtreob2d********",
       "folderId": "b1gvmob95yys********",
       "createdAt": "2018-10-18T13:42:40Z",
       "name": "my-robot",
       "description": "my description"
      }
     ]
    }
    
  5. Create the request body, e.g., in the body.json file. Set the action property to ADD and roleId to the appropriate role, such as editor, and specify the serviceAccount type and service account ID in the subject property:

    body.json:

    {
      "accessBindingDeltas": [{
        "action": "ADD",
        "accessBinding": {
          "roleId": "editor",
          "subject": {
            "id": "ajebqtreob2d********",
            "type": "serviceAccount"
          }
        }
      }]
    }
    
  6. Assign a role to a service account. For example, for a folder with the b1gvmob95yys******** ID:

    export FOLDER_ID=b1gvmob95yys********
    export IAM_TOKEN=CggaAT********
    curl \
      --request POST \
      --header "Content-Type: application/json" \
      --header "Authorization: Bearer ${IAM_TOKEN}" \
      --data '@body.json' \
      "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
    

Folder access for a federated userFolder access for a federated user

Management console
CLI

The role assignment procedure is the same as for a user with a Yandex account. The user's federation name is shown next to the username.

  1. In the management console, go to the relevant folder.
  2. Go to the Access bindings tab.
  3. Click Configure access.
  4. In the window that opens, select User accounts.
  5. Select a user from the list or search by user.
  6. Click Add role and select the role from the list or use the search bar.
  7. Click Save.
  1. Select a role from the Yandex Cloud role reference.

  2. Get the user ID.

  3. Assign the role using this command:

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
        --role <role_ID> \
        --subject federatedUser:<user_ID>
    

    Where:

    • <folder_name_or_ID>: Folder name or ID.
    • --role: Role ID, e.g., editor.
    • --subject: ID of the user account that gets the role.

    For example, assign the editor role to the aje6o61dvog2******** federated user for my-folder:

    yc resource-manager folder add-access-binding my-folder \
        --role editor \
        --subject federatedUser:aje6o61dvog2********
    

What's nextWhat's next

  • Updating a folder
  • Yandex Cloud resource hierarchy

Was the article helpful?

Previous
Deleting a folder
Next
Getting the folder ID
Yandex project
© 2025 Yandex.Cloud LLC