Access management in API Gateway
Yandex Cloud users can only perform operations on resources that are allowed by the roles assigned to them. If a user does not have any roles assigned, almost all operations are forbidden.
To allow access to API Gateway resources (API gateways), assign the Yandex account, service account, federated users, user group, or system group the required roles from the list below. Currently, a role can be assigned for a parent resource (folder or cloud) or an organization.
Only users with the admin
, resource-manager.clouds.owner
, or organization-manager.organizations.owner
role for a resource can assign roles for this resource.
Note
For more information about role inheritance, see Inheritance of access rights in the Yandex Resource Manager documentation.
Assigning roles
To assign a user a role for the cloud:
- Add the required user if needed.
- In the management console
, select the appropriate cloud in the list on the left. - Go to the Access bindings tab.
- Click Assign bindings.
- In the Configuring access bindings window, click
Select subject. - Select a user from the list or search by user.
- Click
Add role. - Select a role in the cloud.
- Click Save.
For more information about assigning roles, see the Yandex Identity and Access Management documentation.
Which resources you can assign a role for
As with other services, you can assign roles for clouds, folder and service accounts. The roles assigned for clouds and folders also apply to nested resources.
You can assign a role for an API gateway via the YC CLI or the Yandex Cloud API.
Which roles exist in the service
The list below shows all roles that are considered when verifying access rights in the API Gateway service.
Service roles
api-gateway.auditor
The api-gateway.auditor
role allows you to view the list of API gateways and the details on access bindings to such gateways. It also enables viewing the relevant folder metadata.
api-gateway.viewer
The api-gateway.viewer
role allows you to view the list of API gateways, info on them, and the details on access bindings to such gateways. It also enables viewing the relevant folder metadata.
This role also includes the api-gateway.auditor
permissions.
api-gateway.editor
The api-gateway.editor
role enables managing API gateways and viewing info on them, as well as working with WebSocket API.
Users with this role can:
- View the list of API gateways, info on them and on access bindings to them, as well as use, modify, and delete such gateways.
- Use the request rate limit.
- View info on WebSocket connections and close them, as well as send data through such connections.
- View info on the relevant folder.
This role also includes the api-gateway.websocketWriter
permissions.
api-gateway.websocketWriter
The api-gateway.websocketWriter
role allows you to work with WebSocket API, as well as view the list of API gateways, info on them, and the details on access bindings to such gateways.
Users with this role can:
- View info on WebSocket connections and close them, as well as send data through such connections.
- View the list of API gateways, info on them and on access bindings to them.
- View info on the relevant folder.
This role also includes the api-gateway.viewer
permissions.
api-gateway.admin
The api-gateway.admin
role enables managing API gateways and access to them, viewing info on API gateways, and working with WebSocket API.
Users with this role can:
- View info on access bindings for API gateways and modify such bindings.
- View info on API gateways, as well as create, modify, and delete them.
- View info on WebSocket connections and close them, as well as send data through such connections.
- Use the request rate limit.
- View info on the relevant folder.
This role also includes the api-gateway.editor
permissions.
Primitive roles
auditor
Grants permission to view service configuration and metadata without access to data.
viewer
Enables you to view information about resources.
editor
Allows managing (creating, editing, and deleting) resources.
admin
Allows you to manage your resources and access to them.
For more information about primitive roles, see the Yandex Cloud role reference.