Yandex Identity and Access Management overview
The IAM service controls access to resources and lets you configure access rights. You determine who should have rights for a certain resource and what these rights are, while IAM grants access according to the assigned rights.
With IAM, you can:
- Grant access to resources.
- Manage accounts in Yandex Cloud.
- Manage authentication keys.
- Log in to Yandex Cloud.
Resource access
To grant a user access to a resource, you assign them roles for the resource. Each role consists of a set of permissions that describe operations that can be performed with the resource.
Before performing an operation with a resource (e.g., creating a VM), Yandex Cloud requests IAM to check whether this operation is allowed. IAM compares the list of required permissions against the list of permissions held by the user performing the operation. If the user lacks any of the permissions, the operation is not allowed and Yandex Cloud returns an error. For more information, see How access management works in Yandex Cloud.
Accounts in Yandex Cloud
To identify users performing operations with resources, Yandex Cloud allows using various account types. For more information, see Accounts in Yandex Cloud.
Authentication keys
There are three types of keys used for authentication in Yandex Cloud:
- API keys: Used instead of IAM tokens for simplified authorization.
- Authorized keys: Used to obtain IAM tokens for service accounts.
- Static access keys: Used in services with AWS-compatible APIs.
These keys are currently only used for service accounts.
Authentication
For IAM to be able to authorize the user (i.e., check if the user has the required permissions), the user must get authenticated. Authentication is performed in different ways, depending on the type of account and the interface used. For more information, see How to choose the appropriate authentication method in Yandex Cloud.