Configuring access permissions for a dedicated host group
To grant a user, group, or service account access to a dedicated host group, assign a role for it.
Assigning a role
- In the management console, select the folder containing the dedicated host group.
- Select Compute Cloud.
- In the left-hand panel, click and select Dedicated host groups.
- Select the dedicated host group.
- Go to the Access bindings tab.
- Click Assign roles.
- In the window that opens, select the group, user, or service account you want to grant access to the dedicated host group.
- Click Add role and select the required role.
- Click Save.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
-
See the description of the CLI command for assigning a role for a dedicated host group:
yc compute host-group add-access-binding --help -
Get a list of dedicated host groups in the default folder:
yc compute host-group list -
View a list of roles already assigned for the resource in question:
yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID> -
Assign the role using this command:
-
To a user:
yc compute host-group add-access-binding <dedicated_host_group_name_or_ID> \ --user-account-id <user_ID> \ --role <role>Where:
-
To a service account:
yc compute host-group add-access-binding <dedicated_host_group_name_or_ID> \ --service-account-id <service_account_ID> \ --role <role>Where:
--service-account-id: Service account ID.--role: Role to assign.
-
To assign a role, use the updateAccessBindings REST API method for the HostGroup resource or the HostGroupService/UpdateAccessBindings gRPC API call. In the request body, set the action property to ADD and specify the user type and ID under subject.
Assigning multiple roles
- In the management console, select the folder containing the dedicated host group.
- Select Compute Cloud.
- In the left-hand panel, click and select Dedicated host groups.
- Select the dedicated host group.
- Go to the Access bindings tab.
- Click Assign roles.
- In the window that opens, select the group, user, or service account you want to grant access to the dedicated host group.
- Click Add role and select the required role.
- To add another role, click Add role.
- Click Save.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
You can assign multiple roles using the set-access-bindings command.
Alert
The set-access-bindings command completely rewrites access permissions for the resource. All current roles for the resource will be deleted.
-
Make sure the resource has no roles assigned that you would not want to lose:
yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID> -
See the description of the CLI command for assigning roles for a dedicated host group:
yc compute host-group set-access-bindings --help -
Assign roles:
yc compute host-group set-access-bindings <dedicated_host_group_name_or_ID> \ --access-binding role=<role>,subject=<subject_type>:<subject_ID> \ --access-binding role=<role>,subject=<subject_type>:<subject_ID>Where:
-
--access-binding: Parameters for setting access permissions:
For example, this command will assign roles to multiple users and a single service account:
yc compute host-group set-access-bindings my-host-group \ --access-binding role=editor,subject=userAccount:gfei8n54hmfh******** --access-binding role=viewer,subject=userAccount:helj89sfj80a******** --access-binding role=editor,subject=serviceAccount:ajel6l0jcb9s******** -
To assign roles for a dedicated host group, use the setAccessBindings REST API method for the HostGroup resource or the HostGroupService/SetAccessBindings gRPC API call.
Alert
The setAccessBindings method and the HostGroupService/SetAccessBindings call completely overwrite access permissions for the resource. All current roles for the resource will be deleted.
Revoking a role
- In the management console, select the folder containing the dedicated host group.
- Select Compute Cloud.
- In the left-hand panel, click and select Dedicated host groups.
- Select the dedicated host group.
- Go to the Access bindings tab.
- In the line with the user in question, click and select Edit roles.
- Next to the role, click .
- Click Save.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.
-
See the description of the CLI command for revoking a role for for a dedicated host group:
yc compute host-group remove-access-binding --help -
View the roles and assignees for the resource:
yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID> -
To revoke access permissions, run this command:
yc compute host-group remove-access-binding <dedicated_host_group_name_or_ID> \ --role=<role> \ --subject=<subject_type>:<subject_ID> \Where:
--role: ID of the role to revoke.--subject: Type and ID of the subject getting the role.
For example, this command revokes the
viewerrole for the dedicated host group from a user with theajel6l0jcb9s********ID:yc compute host-group remove-access-binding my-host-group \ --role viewer \ --subject userAccount:ajel6l0jcb9s********
To revoke a role, use the updateAccessBindings REST API method for the HostGroup resource or the HostGroupService/UpdateAccessBindings gRPC API call. In the request body, set the action property to REMOVE and specify the user type and ID under subject.