Configuring dedicated host group access permissions
To grant a user, group, or service account access to a dedicated host group, assign a role for it.
Assigning a role
- In the management console
, select the folder containing the dedicated host group. - Select Compute Cloud.
- In the left-hand panel, select
→ Dedicated host groups. - Select the dedicated host group.
- Go to the
Access bindings tab. - Click Assign bindings.
- In the window that opens, select the group, user, or service account to grant access to the dedicated host group.
- Click
Add role and select the required role. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the CLI command description for assigning a role for a dedicated host group:
yc compute host-group add-access-binding --help
-
Get a list of dedicated host groups in the default folder:
yc compute host-group list
-
View the list of roles already assigned for the resource:
yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID>
-
Assign the role using the command:
-
To a user:
yc compute host-group add-access-binding <dedicated_host_group_name_or_ID> \ --user-account-id <user_ID> \ --role <role>
Where:
-
To a service account:
yc compute host-group add-access-binding <dedicated_host_group_name_or_ID> \ --service-account-id <service_account_ID> \ --role <role>
Where:
--service-account-id
: Service account ID.--role
: Role to assign.
-
To assign a role, use the updateAccessBindings REST API method for the HostGroup resource or the HostGroupService/UpdateAccessBindings gRPC API call. In the request body, set the action
property to ADD
and specify the user type and ID in the subject
property.
Assigning multiple roles
- In the management console
, select the folder containing the dedicated host group. - Select Compute Cloud.
- In the left-hand panel, select
→ Dedicated host groups. - Select the dedicated host group.
- Go to the
Access bindings tab. - Click Assign bindings.
- In the window that opens, select the group, user, or service account to grant access to the dedicated host group.
- Click
Add role and select the required role. - To add another role, click
Add role. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
You can assign multiple roles using the set-access-bindings
command.
Alert
The set-access-bindings
command completely rewrites the access permissions for the resource. All current resource roles will be deleted.
-
Make sure the resource has no roles assigned that you would not want to lose:
yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID>
-
See the CLI command description for assigning roles for a dedicated host group:
yc compute host-group set-access-bindings --help
-
Assign roles:
yc compute host-group set-access-bindings <dedicated_host_group_name_or_ID> \ --access-binding role=<role>,subject=<subject_type>:<subject_ID> \ --access-binding role=<role>,subject=<subject_type>:<subject_ID>
Where:
-
--access-binding
: Parameters for setting access permissions:
For example, assign roles to multiple users and a service account:
yc compute host-group set-access-bindings my-host-group \ --access-binding role=editor,subject=userAccount:gfei8n54hmfh******** --access-binding role=viewer,subject=userAccount:helj89sfj80a******** --access-binding role=editor,subject=serviceAccount:ajel6l0jcb9s********
-
To assign roles for a resource, use the setAccessBindings REST API method for the HostGroup resource or the HostGroupService/SetAccessBindings gRPC API call.
Alert
The setAccessBindings
method and the HostGroupService/SetAccessBindings
call completely overwrite access permissions for the resource. All current resource roles will be deleted.
Revoking a role
- In the management console
, select the folder containing the dedicated host group. - Select Compute Cloud.
- In the left-hand panel, select
→ Dedicated host groups. - Select the dedicated host group.
- Go to the
Access bindings tab. - In the line with the user you need, click
and select Edit roles. - Next to the role, click
. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
See the CLI command description for revoking a role for a dedicated host group:
yc compute host-group remove-access-binding --help
-
View the roles and assignees for the resource:
yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID>
-
To revoke access permissions, run this command:
yc compute host-group remove-access-binding <dedicated_host_group_name_or_ID> \ --role=<role> \ --subject=<subject_type>:<subject_ID> \
Where:
--role
: ID of the role to revoke.--subject
: Type and ID of the subject getting the role.
For example, to revoke the
viewer
role for a dedicated host group from a user with theajel6l0jcb9s********
ID:yc compute host-group remove-access-binding my-host-group \ --role viewer \ --subject userAccount:ajel6l0jcb9s********
To revoke a role, use the updateAccessBindings REST API method for the HostGroup resource or the HostGroupService/UpdateAccessBindings gRPC API call. In the request body, set the action
property to REMOVE
and specify the user type and ID in the subject
property.