Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Configuring access permissions for a certificate

Written by
Updated at November 11, 2025

To grant a user, group, or service account access to a certificate, assign a role for it.

Assigning a role

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for assigning a role for a certificate:

    yc certificate-manager certificate add-access-binding --help

  2. Get a list of certificates in the default folder:

    yc certificate-manager certificate list

    Result:

    +----------------------+--------+-------------+---------------------+----------+---------+
|          ID          |  NAME  |   DOMAINS   |      NOT AFTER      |   TYPE   | STATUS  |
+----------------------+--------+-------------+---------------------+----------+---------+
| fpqgbg3fajpg******** | cert-1 | example.com | 2026-01-04 13:58:14 | IMPORTED | ISSUED  |
| fpqlhev2j4ad******** | cert-2 | example.com | 2026-01-04 14:07:02 | IMPORTED | ISSUED  |
+----------------------+--------+-------------+---------------------+----------+---------+

  3. Check what roles are currently assigned for the DNS zone you want to update:

    yc certificate-manager certificate list-access-bindings <certificate_ID>

  4. To assign the role, run the following command:

    • To a user:

      yc certificate-manager certificate add-access-binding <certificate_ID> \
  --user-account-id <user_ID> \
  --role <role>

      Where:

    • To a service account:

      yc certificate-manager certificate add-access-binding <certificate_ID> \
  --service-account-id <service_account_ID> \
  --role <role>

      Where:

Use the updateAccessBindings REST API method for the Certificate resource or the CertificateService/UpdateAccessBindings gRPC API call. In the request body, set the action property to ADD and specify the user type and ID under subject.

Assigning multiple roles

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

You can assign multiple roles using the set-access-bindings command.

Alert

The set-access-bindings command completely rewrites access permissions for the resource. All current roles for the resource will be deleted.

  1. View the list of roles assigned for a certificate:

    yc certificate-manager certificate list-access-bindings <certificate_ID>

    If you need to save the roles, specify them in the command for assigning roles.

  2. See the description of the CLI command for assigning roles for a certificate:

    yc certificate-manager certificate set-access-bindings --help

  3. Assign roles:

    yc certificate-manager certificate set-access-bindings <certificate_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_ID>

    Where:

    • --access-binding: Role to assign:

      • role: ID of the role to assign.
      • subject: Type and ID of the subject the role is assigned to.

    For example, the following command will assign roles to multiple users and a single service account:

    yc certificate-manager certificate set-access-bindings my-certificate \
  --access-binding role=editor,subject=userAccount:gfei8n54hmfh********
  --access-binding role=viewer,subject=userAccount:helj89sfj80a********
  --access-binding role=editor,subject=serviceAccount:ajel6l0jcb9s********

Use the setAccessBindings REST API method for the Certificate resource or the CertificateService/SetAccessBindings gRPC API call.

Revoking a role

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for revoking a role for a certificate:

    yc certificate-manager certificate remove-access-binding --help

  2. View the roles and assignees for the resource:

    yc certificate-manager certificate list-access-bindings <certificate_ID>

  3. To revoke access permissions, run this command:

    yc certificate-manager certificate remove-access-binding <certificate_ID> \
  --role <role_ID> \
  --subject <subject_type>:<subject_ID>

    Where:

    • --role: ID of the role you want to revoke.
    • --subject: Subject to revoke the role from.

    For example, to revoke the viewer role from a user with the ajel6l0jcb9s******** ID:

    yc certificate-manager certificate remove-access-binding my-certificate \
  --role viewer \
  --subject userAccount:ajel6l0jcb9s********

To revoke roles for a certificate, use the updateAccessBindings REST API method for the Certificate resource or the CertificateService/UpdateAccessBindings gRPC API call. In the request body, set the action property to REMOVE and specify the user type and ID under subject.

Previous
Adding alerts for certificates
Next
Viewing operations with a certificate