Configuring access permissions for a dedicated host group
To grant a user, group, or service account access to a dedicated host group, assign a role for it.
Assigning a role
- In the management console, select the folder containing the dedicated host group.
- Select Compute Cloud.
- In the left-hand panel, click and select Dedicated host groups.
- Select the dedicated host group.
- Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select the group, user, or service account you want to grant access to the dedicated host group.
- Click Add role and select the required role.
- Click Save.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.
-
See the description of the CLI command for assigning a role for a dedicated host group:
yc compute host-group add-access-binding --help -
Get a list of dedicated host groups in the default folder:
yc compute host-group list -
View a list of roles already assigned for the resource in question:
yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID> -
Assign the role using this command:
-
To a user:
yc compute host-group add-access-binding <dedicated_host_group_name_or_ID> \ --user-account-id <user_ID> \ --role <role>Where:
-
To a service account:
yc compute host-group add-access-binding <dedicated_host_group_name_or_ID> \ --service-account-id <service_account_ID> \ --role <role>Where:
--service-account-id: Service account ID.--role: Role to assign.
-
To assign a role, use the updateAccessBindings REST API method for the HostGroup resource or the HostGroupService/UpdateAccessBindings gRPC API call. In the request body, set the action property to ADD and specify the user type and ID under subject.
Assigning multiple roles
- In the management console, select the folder containing the dedicated host group.
- Select Compute Cloud.
- In the left-hand panel, click and select Dedicated host groups.
- Select the dedicated host group.
- Go to the Access bindings tab.
- Click Assign bindings.
- In the window that opens, select the group, user, or service account you want to grant access to the dedicated host group.
- Click Add role and select the required role.
- To add another role, click Add role.
- Click Save.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.
You can assign multiple roles using the set-access-bindings command.
Alert
The set-access-bindings command completely rewrites access permissions for the resource. All current roles for the resource will be deleted.
-
Make sure the resource has no roles assigned that you would not want to lose:
yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID> -
See the description of the CLI command for assigning roles for a dedicated host group:
yc compute host-group set-access-bindings --help -
Assign roles:
yc compute host-group set-access-bindings <dedicated_host_group_name_or_ID> \ --access-binding role=<role>,subject=<subject_type>:<subject_ID> \ --access-binding role=<role>,subject=<subject_type>:<subject_ID>Where:
-
--access-binding: Parameters for setting access permissions:
For example, this command will assign roles to multiple users and a single service account:
yc compute host-group set-access-bindings my-host-group \ --access-binding role=editor,subject=userAccount:gfei8n54hmfh******** --access-binding role=viewer,subject=userAccount:helj89sfj80a******** --access-binding role=editor,subject=serviceAccount:ajel6l0jcb9s******** -
To assign roles for a dedicated host group, use the setAccessBindings REST API method for the HostGroup resource or the HostGroupService/SetAccessBindings gRPC API call.
Alert
The setAccessBindings method and the HostGroupService/SetAccessBindings call completely overwrite access permissions for the resource. All current roles for the resource will be deleted.
Revoking a role
- In the management console, select the folder containing the dedicated host group.
- Select Compute Cloud.
- In the left-hand panel, click and select Dedicated host groups.
- Select the dedicated host group.
- Go to the Access bindings tab.
- In the line with the user in question, click and select Edit roles.
- Next to the role, click .
- Click Save.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder through the --folder-name or --folder-id parameter.
-
See the description of the CLI command for revoking a role for for a dedicated host group:
yc compute host-group remove-access-binding --help -
View the roles and assignees for the resource:
yc compute host-group list-access-bindings <dedicated_host_group_name_or_ID> -
To revoke access permissions, run this command:
yc compute host-group remove-access-binding <dedicated_host_group_name_or_ID> \ --role=<role> \ --subject=<subject_type>:<subject_ID> \Where:
--role: ID of the role to revoke.--subject: Type and ID of the subject getting the role.
For example, this command revokes the
viewerrole for the dedicated host group from a user with theajel6l0jcb9s********ID:yc compute host-group remove-access-binding my-host-group \ --role viewer \ --subject userAccount:ajel6l0jcb9s********
To revoke a role, use the updateAccessBindings REST API method for the HostGroup resource or the HostGroupService/UpdateAccessBindings gRPC API call. In the request body, set the action property to REMOVE and specify the user type and ID under subject.