Configuring access permissions for a certificate
To grant an individual user, user group, or service account access to a certificate, assign a role for it.
Assigning a role
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
View the description of the CLI command for assigning a role for a certificate:
yc certificate-manager certificate add-access-binding --help -
Get the list of certificates in the default folder:
yc certificate-manager certificate listResult:
+----------------------+--------+-------------+---------------------+----------+---------+ | ID | NAME | DOMAINS | NOT AFTER | TYPE | STATUS | +----------------------+--------+-------------+---------------------+----------+---------+ | fpqgbg3fajpg******** | cert-1 | example.com | 2026-01-04 13:58:14 | IMPORTED | ISSUED | | fpqlhev2j4ad******** | cert-2 | example.com | 2026-01-04 14:07:02 | IMPORTED | ISSUED | +----------------------+--------+-------------+---------------------+----------+---------+ -
Check what roles are currently assigned for the resource in question:
yc certificate-manager certificate list-access-bindings <certificate_ID> -
Assign the role using this command:
-
To a user:
yc certificate-manager certificate add-access-binding <certificate_ID> \ --user-account-id <user_ID> \ --role <role>Where:
-
To a service account:
yc certificate-manager certificate add-access-binding <certificate_ID> \ --service-account-id <service_account_ID> \ --role <role>Where:
--service-account-id: Service account ID.--role: Role to assign.
-
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
To assign a role for a certificate using Terraform:
-
In the Terraform configuration file, describe the resources you want to create:
resource "yandex_cm_certificate_iam_member" "mycert-roles" { certificate_id = "<certificate_ID>" role = "<role>" member = "<subject_type>:<subject_ID>" }Where:
certificate_id: Certificate ID.role: Role to assign.member: Type and ID of the subject the role is assigned to. Specify it asuserAccount:<user_ID>orserviceAccount:<service_account_ID>.
For more information about the
yandex_cm_certificate_iam_memberresource properties, see this provider guide. -
Create the resources:
-
In the terminal, navigate to the configuration file directory.
-
Make sure the configuration is correct using this command:
terraform validateIf the configuration is valid, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
-
Apply the configuration changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources using this CLI command:
yc certificate-manager certificate list-access-bindings <certificate_ID> -
Use the updateAccessBindings REST API method for the Certificate resource or the CertificateService/UpdateAccessBindings gRPC API call. In the request body, set the action property to ADD and specify the user type and ID under subject.
Assigning multiple roles
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
You can assign multiple roles using the set-access-bindings command.
Alert
The set-access-bindings command completely rewrites access permissions for the resource. All current roles for the resource will be deleted.
-
View the list of roles assigned for a certificate:
yc certificate-manager certificate list-access-bindings <certificate_ID>If you need to save the roles, specify them in the command for assigning roles.
-
View the description of the CLI command for assigning roles for a certificate:
yc certificate-manager certificate set-access-bindings --help -
Assign the roles:
yc certificate-manager certificate set-access-bindings <certificate_ID> \ --access-binding role=<role>,subject=<subject_type>:<subject_ID>Where:
--access-binding: Role to assign:role: ID of the role to assign.subject: Type and ID of the subject the role is assigned to.
For example, this command will assign roles to multiple users and a single service account:
yc certificate-manager certificate set-access-bindings my-certificate \ --access-binding role=editor,subject=userAccount:gfei8n54hmfh******** --access-binding role=viewer,subject=userAccount:helj89sfj80a******** --access-binding role=editor,subject=serviceAccount:ajel6l0jcb9s********
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
To assign multiple roles for a certificate using Terraform:
-
In the Terraform configuration file, describe the resources you want to create:
resource "yandex_cm_certificate_iam_member" "mycert-roles1" { certificate_id = "<certificate_ID>" role = "<role_1>" member = "<subject_type>:<subject_ID>" } resource "yandex_cm_certificate_iam_member" "mycert-roles2" { certificate_id = "<certificate_ID>" role = "<role_2>" member = "<subject_type>:<subject_ID>" }Where:
certificate_id: Certificate ID.role: Role to assign.member: Type and ID of the subject the role is assigned to. Specify it asuserAccount:<user_ID>orserviceAccount:<service_account_ID>.
For more information about the
yandex_cm_certificate_iam_memberresource properties, see this provider guide. -
Create the resources:
-
In the terminal, navigate to the configuration file directory.
-
Make sure the configuration is correct using this command:
terraform validateIf the configuration is valid, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
-
Apply the configuration changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
Terraform will create all the required resources. You can check the new resources using this CLI command:
yc certificate-manager certificate list-access-bindings <certificate_ID> -
Use the setAccessBindings REST API method for the Certificate resource or the CertificateService/SetAccessBindings gRPC API call.
Revoking a role
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
-
View the description of the CLI command for revoking a role for a certificate:
yc certificate-manager certificate remove-access-binding --help -
View the list of users and their roles for the resource:
yc certificate-manager certificate list-access-bindings <certificate_ID> -
To revoke access permissions, run this command:
yc certificate-manager certificate remove-access-binding <certificate_ID> \ --role <role_ID> \ --subject <subject_type>:<subject_ID>Where:
--role: ID of the role you want to revoke.--subject: Subject to revoke the role from.
For example, to revoke the
viewerrole from the user with theajel6l0jcb9s********ID:yc certificate-manager certificate remove-access-binding my-certificate \ --role viewer \ --subject userAccount:ajel6l0jcb9s********
With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.
For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.
If you do not have Terraform yet, install it and configure the Yandex Cloud provider.
To revoke a role assigned for a certificate:
-
Open the Terraform configuration file and delete the fragment describing the role:
resource "yandex_cm_certificate_iam_member" "mycert-roles" { certificate_id = "<certificate_ID>" role = "<role>" member = "<subject_type>:<subject_ID>" } -
Apply the changes:
-
In the terminal, navigate to the configuration file directory.
-
Make sure the configuration is correct using this command:
terraform validateIf the configuration is valid, you will get this message:
Success! The configuration is valid. -
Run this command:
terraform planYou will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
-
Apply the configuration changes:
terraform apply -
Type
yesand press Enter to confirm the changes.
You can check the changes using this CLI command:
yc certificate-manager certificate list-access-bindings <certificate_ID> `` -
To revoke roles for a certificate, use the updateAccessBindings REST API method for the Certificate resource or the CertificateService/UpdateAccessBindings gRPC API call. In the request body, set the action property to REMOVE and specify the user type and ID under subject.