Yandex Identity and Access Management overview
The IAM service controls access to resources and lets you configure access rights. You determine who should have rights for a certain resource and what these rights are, while IAM grants access according to the assigned rights.
With IAM, you can:
- Grant access to resources.
- Manage accounts in Yandex Cloud.
- Manage authentication keys.
- Log in to Yandex Cloud.
Resource access
To grant a user access to a resource, you assign them roles for the resource. Each role consists of a set of permissions that describe operations that can be performed with the resource.
Before performing an operation with a resource, such as creating a VM, Yandex Cloud sends a request to the IAM service to check whether this operation is allowed. IAM compares the list of required permissions to the list of permissions granted to the user who is performing this operation. If any of the permissions are missing, the operation is not allowed and Yandex Cloud returns an error. For more information, see How access management works in Yandex Cloud.
Accounts in Yandex Cloud
To identify users performing operations with resources, Yandex Cloud allows using various account types. For more information, see Accounts in Yandex Cloud.
Authentication keys
There are three types of keys used for authentication in Yandex Cloud:
- API keys: Used instead of IAM tokens for simplified authorization.
- Authorized keys: Used to obtain IAM tokens for service accounts.
- Static access keys: Used in services with AWS-compatible APIs.
These keys are currently only used for service accounts.
Authorization
The user must pass authentication so that IAM can authorize them (i.e., check whether the user has rights). Authentication is performed in different ways, depending on the type of account and the interface used. For more information, see Authorization and authentication in Yandex Cloud.