Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Virtual Private Cloud
  • Getting started
  • DDoS Protection
  • Access management
  • Terraform reference
  • Audit Trails events
  • Release notes
  • FAQ

In this article:

  • Access management
  • Resources you can assign a role for
  • Roles existing in this service
  • Service roles
  • Primitive roles
  • What roles do I need

Access management in Virtual Private Cloud

Written by
Yandex Cloud
Updated at May 5, 2025
  • Access management
  • Resources you can assign a role for
  • Roles existing in this service
    • Service roles
    • Primitive roles
  • What roles do I need

Virtual Private Cloud uses roles to manage access permissions.

In this section, you will learn:

  • What resources you can assign a role for.
  • What roles exist in the service.
  • What roles are required for particular actions.

Access managementAccess management

Yandex Identity and Access Management checks all operations in Yandex Cloud. If an entity does not have required permissions, this service returns an error.

To grant permissions for a resource, assign the appropriate resource roles to an entity performing operations, such as a Yandex account, service account, federated users, user group, system group, or public group. For more information, see How access management works in Yandex Cloud.

To assign roles for a resource, you need to have one of the following roles for that resource:

  • admin
  • resource-manager.admin
  • organization-manager.admin
  • resource-manager.clouds.owner
  • organization-manager.organizations.owner

Resources you can assign a role forResources you can assign a role for

You can assign a role to an organization, cloud, or folder. The roles assigned to organizations, clouds, and folders also apply to their nested resources.

Roles existing in this serviceRoles existing in this service

The chart below shows service’s roles and their permission inheritance. For example, editor inherits all viewer permissions. You can find role descriptions under the chart.

Service rolesService roles

vpc.auditorvpc.auditor

The vpc.auditor roles allows you to view service metadata, including information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.

Users with this role can:
  • View the list of cloud networks and the info on them.
  • View the list of subnets and info on them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

vpc.viewervpc.viewer

The vpc.viewer role allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on the quotas and resource operations.

Users with this role can:
  • View the list of cloud networks and the info on them.
  • View the list of subnets and info on them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role also includes the vpc.auditor permissions.

vpc.uservpc.user

The vpc.user role allows you to use cloud networks, subnets, route tables, gateways, security groups, and IP addresses, get information on these resources, as well as on the quotas and resource operations.

Users with this role can:
  • View the list of cloud networks and info on them, as well as use them.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud resource addresses and info on them, as well as use such addresses.
  • View the list of route tables and info on them, as well as use them.
  • View the list of security groups and info on them, as well as use them.
  • View information on NAT gateways and connect them to route tables.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role also includes the vpc.viewer permissions.

vpc.externalAddresses.uservpc.externalAddresses.user

The vpc.externalAddresses.user role allows you to view the list of private and public addresses of the cloud resources; it also enables viewing info on such addresses, using them, and managing the external network connectivity.

vpc.adminvpc.admin

The vpc.admin role allows you to manage cloud networks, subnets, route tables, NAT gateways, security groups, internal and public IP addresses, as well as external network connectivity.

Users with this role can:
  • View the list of cloud networks and info on them, as well as create, modify, and delete them.
  • Configure external access to cloud networks.
  • Manage connectivity of multiple cloud networks.
  • Manage multi-interface instances that provide connectivity between multiple networks.
  • View the list of subnets and info on them, as well as create, modify, and delete them.
  • View the list of route tables and info on them, as well as create, modify, and delete them.
  • Link route tables to subnets.
  • View information on NAT gateways, as well as create, modify, and delete them.
  • Connect NAT gateways to route tables.
  • View the list of security groups and info on them, as well as create, modify, and delete them.
  • Create and delete default security groups in cloud networks.
  • Create and delete security group rules, as well as edit their metadata.
  • Configure DHCP in subnets.
  • View the list of cloud resource addresses and info on them, as well as create, update, and delete internal and public IP addresses.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role also includes the vpc.privateAdmin, vpc.publicAdmin, and vpc.securityGroups.admin permissions.

vpc.bridgeAdminvpc.bridgeAdmin

The vpc.bridgeAdmin role allows you to use subnets and manage connectivity of multiple cloud networks. This role also allows you to view information on cloud networks, subnets, route tables, gateways, security groups, and IP addresses, as well as on service quotas and resource operations.

Users with this role can:
  • Manage connectivity of multiple cloud networks.
  • View the list of subnets and info on them, as well as use them.
  • View the list of cloud networks and the info on them.
  • View the list of cloud resource addresses and the info on them.
  • View the list of route tables and the info on them.
  • View the list of security groups and the info on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role also includes the vpc.viewer permissions.

vpc.privateAdminvpc.privateAdmin

The vpc.privateAdmin role allows you to manage cloud networks, subnets, and route tables, as well as view information on the quotas, resources, and resource operations. This role also allows you to manage connectivity within Yandex Cloud, while it does not allow doing so from the internet.

Users with this role can:
  • View the list of cloud networks and info on them, as well as create, modify, and delete them.
  • View the list of subnets and info on them, as well as create, modify, and delete them.
  • View the list of route tables and info on them, as well as create, modify, and delete them.
  • Link route tables to subnets.
  • View the list of security groups and info on them, as well as create default security groups within cloud networks.
  • Configure DHCP in subnets.
  • View the list of cloud resource addresses and info on them, as well as create internal IP addresses.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role also includes the vpc.viewer permissions.

vpc.publicAdminvpc.publicAdmin

The vpc.publicAdmin role allows you to manage NAT gateways, public IP addresses, and external network connectivity, as well as view information on the quotas, resources, and resource operations. This role grants administrator privileges for multi-interface instances that provide connectivity between multiple networks.

Users with this role can:
  • View the list of cloud networks and info on them, as well as set up external access to them.
  • Manage connectivity of multiple cloud networks.
  • Manage multi-interface instances that provide connectivity between multiple networks.
  • View the list of subnets and info on them, as well as modify them.
  • View information on NAT gateways, as well as create, modify, and delete them.
  • Connect NAT gateways to route tables.
  • View the list of cloud resource addresses and info on them, as well as create, update, and delete public IP addresses.
  • View the list of route tables and info on them, as well as link them to subnets.
  • View the list of security groups and the info on them.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View info on the relevant folder.

This role also includes the vpc.viewer permissions.

You can assign a role for a cloud or folder.

Warning

If a network and subnet are in different folders, the vpc.publicAdmin role is checked for the folder where the network is located.

vpc.gateways.viewervpc.gateways.viewer

The vpc.gateways.viewer role allows you to view information on NAT gateways.

vpc.gateways.uservpc.gateways.user

The vpc.gateways.user role allows you to view information on NAT gateways and connect them to route tables.

vpc.gateways.editorvpc.gateways.editor

The vpc.gateways.editor role allows you to create, modify, and delete NAT gateways, as well as connect them to route tables.

vpc.securityGroups.uservpc.securityGroups.user

The vpc.securityGroups.user role allows you to assign security groups to network interfaces and view information on the resources, quotas, and resource operations.

Users with this role can:
  • Assign security groups to instance network interfaces.
  • Get a list of cloud networks and view information on them.
  • Get a list of subnets and view information on them.
  • Get a list of cloud resource addresses and view information on them.
  • Get a list of route tables and view information on them.
  • Get a list of security groups and view information on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View information on the relevant folder.

This role also includes the vpc.viewer permissions.

vpc.securityGroups.adminvpc.securityGroups.admin

The vpc.securityGroups.admin role allows you to manage security groups and view information on the resources, quotas, and resource operations.

Users with this role can:
  • View information on security groups, as well as create, modify, and delete them.
  • Create and delete default security groups in cloud networks.
  • Create and delete security group rules, as well as edit their metadata.
  • Get a list of cloud networks and view information on them.
  • Get a list of subnets and view information on them.
  • Get a list of cloud resource addresses and view information on them.
  • Get a list of route tables and view information on them.
  • View information on NAT gateways.
  • View information on the IP addresses used in subnets.
  • View information on Virtual Private Cloud quotas.
  • View information on resource operations for Virtual Private Cloud.
  • View information on resource operations for Compute Cloud.
  • View information on the relevant cloud.
  • View information on the relevant folder.

This role also includes the vpc.viewer permissions.

vpc.privateEndpoints.viewervpc.privateEndpoints.viewer

The vpc.privateEndpoints.viewer role enables viewing info on the service connections.

vpc.privateEndpoints.editorvpc.privateEndpoints.editor

The vpc.privateEndpoints.editor role enables viewing info on the service connections, as well as creating, modifying, and deleting such connections.

This role also includes the vpc.privateEndpoints.viewer permissions.

vpc.privateEndpoints.adminvpc.privateEndpoints.admin

The vpc.privateEndpoints.admin role enables viewing info on the service connections, as well as creating, modifying, and deleting such connections.

This role also includes the vpc.privateEndpoints.editor permissions.

Primitive rolesPrimitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditorauditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

  • View info on a resource.
  • View the resource metadata.
  • View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewerviewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role also includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editoreditor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role also includes the viewer permissions.

adminadmin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role also includes the editor permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the least privilege principle.

For more information about primitive roles, see the Yandex Cloud role reference.

What roles do I needWhat roles do I need

The table below lists the roles required to perform a particular action. You can always assign a role offering more permissions than the one specified. For example, you can assign the editor role instead of viewer, or vpc.admin instead of vpc.publicAdmin.

Action Methods Required roles
Viewing data
View information about any resource. get, list, listOperations vpc.viewer or viewer for the resource
List subnets in the network. listSubnets vpc.viewer or viewer for the network
Use of resources
Assign VPC resources to other Yandex Cloud resources, e.g., assigning an address to an interface or connecting a network interface to a subnet. Various vpc.user for the resource, and the permission to change the receiving object if the resource assignment operation is mutating.
Assign or delete the public address of an interface. various vpc.publicAdmin for the network
Create a VM connected to multiple networks. create vpc.publicAdmin for each network the VM connects to
Managing resources
Create networks in a folder. create vpc.privateAdmin or editor for the folder
Update and delete networks. update, delete vpc.privateAdmin or editor for the network
Create subnets in a folder. create vpc.privateAdmin or editor for the folder and network
Update and delete subnets. update, delete vpc.privateAdmin or editor for the folder
Create a route table. create vpc.privateAdmin or editor for the folder
Update or delete a route table. update, delete vpc.privateAdmin or editor for the route table
Create public addresses. create vpc.publicAdmin or editor for the folder
Delete public addresses. delete vpc.publicAdmin or editor for the address
Create a gateway. create vpc.gateways.editor
Associate a gateway with a route table. create, update vpc.gateways.user
Create security groups. create vpc.securityGroups.admin or editor for the folder and network
Update and delete security groups. update, delete vpc.securityGroups.admin or editor for the network and security group
Resource access management
Grant a role, revoke a role, and view roles granted for the resource. setAccessBindings, updateAccessBindings, listAccessBindings admin for the resource

To create a NAT gateway and associate it with a route table, you need the vpc.gateways.editor and vpc.gateways.user roles. Currently, you cannot use reserved public IP addresses for gateways, so the vpc.admin role will not be enough.

What's nextWhat's next

  • How to assign a role.
  • How to revoke a role.
  • Learn more about access management in Yandex Cloud.
  • Learn more about inheriting roles.

Was the article helpful?

Previous
Using public IP addresses
Next
Current pricing policy
Yandex project
© 2025 Yandex.Cloud LLC