Access management in Yandex Cloud Registry

Yandex Cloud users can only perform operations on resources that are allowed by the roles assigned to them. As long as a user has no roles assigned, all operations are forbidden.

To allow access to Cloud Registry resources, assign the required roles from the list below to a Yandex account, service account, federated users, user group, system group, or public group.

Which resources you can assign a role forWhich resources you can assign a role for

You can assign a role to an organization, cloud, or folder. The roles assigned for organizations, clouds, or folders also apply to nested resources.

You can also assign a role for Cloud Registry registries as well as directories inside them.

Which roles exist in the serviceWhich roles exist in the service

In Cloud Registry, you can manage access using both service and primitive roles.

Service rolesService roles

cloud-registry.auditorcloud-registry.auditor

The cloud-registry.auditor role enables viewing the artifact metadata, the info on registries and access permissions granted to them, as well as on the Cloud Registry quotas.

Users with this role can:

• View the artifact metadata.
• View info on registries.
• View the list of registry IP permissions.
• View info on the access permissions granted to registries and folders within registries.
• View info on the Cloud Registry quotas.
• View info on the relevant cloud and folder.

cloud-registry.viewercloud-registry.viewer

Thecloud-registry.viewer role enables pulling artifacts, as well as viewing info on artifacts and registries, on the access permissions granted to registries, and on the Cloud Registry quotas.

Users with this role can:

• View info on artifacts and pull them.
• View info on registries.
• View the list of registry IP permissions.
• View info on the access permissions granted to registries and folders within registries.
• View info on the Cloud Registry quotas.
• View info on the relevant cloud and folder.

This role also includes the cloud-registry.auditor permissions.

cloud-registry.editorcloud-registry.editor

The cloud-registry.editor role enables managing artifacts and registries, as well as viewing info on the access permissions granted to registries and Cloud Registry quotas.

Users with this role can:

• View info on artifacts, as well as create, modify, download, and delete them.
• View info on registries, as well as create, modify, and delete them.
• Create and delete folders within registries.
• View the list of registry IP permissions.
• View info on the access permissions granted to registries and folders within registries.
• View info on the Cloud Registry quotas.
• View info on the relevant cloud and folder.

This role also includes the cloud-registry.viewer and cloud-registry.artifacts.pusher permissions.

cloud-registry.admincloud-registry.admin

The cloud-registry.admin role enables managing artifacts, registries, and access to registries, as well as viewing info on the Cloud Registry quotas.

Users with this role can:

• View info on artifacts, as well as create, modify, download, and delete them.
• View info on registries, as well as create, modify, and delete them.
• View info on the access permissions granted to registries and folders within registries, as well as modify such permissions.
• Create and delete folders within registries.
• View the list of registry IP permissions.
• View info on the Cloud Registry quotas.
• View info on the relevant cloud and folder.

This role also includes the cloud-registry.editor permissions.

cloud-registry.artifacts.pullercloud-registry.artifacts.puller

The cloud-registry.artifacts.puller role enables pulling artifacts, as well as getting info on artifacts and registries.

cloud-registry.artifacts.pushercloud-registry.artifacts.pusher

The cloud-registry.artifacts.pusher role enables managing artifacts, as well as viewing info on the registries and managing folders within them.

Users with this role can:

• View info on artifacts, as well as create, modify, download, and delete them.
• View info on registries.
• Create and delete folders within registries.

Primitive rolesPrimitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditorauditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

• View info on a resource.
• View the resource metadata.
• View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewerviewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role also includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editoreditor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role also includes the viewer permissions.

adminadmin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role also includes the editor permissions.

Instead of primitive roles, we recommend using service roles. This ensures more selective access control and implementation of the principle of least privilege.

For more information about primitive roles, see the Yandex Cloud role reference.

See alsoSee also

Hierarchy of Yandex Cloud resources