Revoking roles assigned to a function
Written by
Updated at May 5, 2026
CLI
API
If you do not have the Yandex Cloud CLI yet, install and initialize it.
The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also specify a different folder for any command using --folder-name or --folder-id. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
To revoke a role for a function, run this command:
- User:
Result:
yc serverless function remove-access-binding \ --id <function_ID> \ --user-account-id <user_ID> \ --role <role>done (1s) - Service account:
Result:
yc serverless function remove-access-binding \ --id <function_ID> \ --service-account-id <service_account_ID> \ --role <role>done (1s) - All authorized users (the
All authenticated userspublic group):Result:yc serverless function remove-access-binding \ --id <function_ID> \ --all-authenticated-users \ --role <role>done (1s)
To revoke function roles, use the updateAccessBindings REST API method for the Function resource or the FunctionService/UpdateAccessBindings gRPC API call.