Access policies
Note
This feature is in the Preview stage. To get access, contact tech support or your account manager.
Access policies are a Yandex Identity and Access Management mechanism that allows you to manage permissions for performing specific operations on Yandex Cloud resources. Access policies complement the role system for more flexible access management.
Relationships between access policies and roles
Access policies enforce explicit restrictions, unlike roles, which grant explicit permissions. The relationships between access policies and roles are as follows:
-
Access policies take priority over roles. If an access policy prohibits an action, it will be denied even if the user’s role allows the operation.
Access permissions are checked in the following order:
- The system checks access policies for an explicit restriction to perform the operation. If there is such a restriction, the operation is denied without any further checks.
- In case there is no restriction, the system checks if the user is assigned a role required to perform the operation and allows or denies the operation accordingly.
-
Access policies do not replace roles, but add an extra layer of access control. To perform operations, users still require the relevant roles, regardless of the exisiting access policies.
-
To manage access policies, a user must have one of the following roles:
resource-manager.adminoradminfor the folder or cloud to manage access policies at the folder or cloud level, respectively.organization-manager.adminoradminfor the organization to manage access policies at the organization level.
Resources governed by access policies
Access policies assigned at higher levels of the Yandex Cloud resource hierarchy are inherited by lower-level resources.
You can assign access policies for the following resources:
- Organization: Access policy applies to resources in all clouds and folders within an organization.
- Cloud: Access policy applies to resources in all folders within a cloud.
- Folder: Access policy applies only to resources within a specific folder.
You can assign multiple policies for a single resource.
Supported access policies
Currently, Identity and Access Management supports the following access policies:
|
Policy ID |
Imposed restrictions |
|
|
Prohibits creating service accounts. |
|
|
Prohibits creating static access keys for service accounts. |
|
|
Prohibits creating API keys for service accounts. |
|
|
Prohibits creating authorized keys for service accounts. |
|
|
Prohibits associating service accounts with workload identity federations. |
|
|
|
|
|
Prohibits impersonation. |
|
|
Prohibits inviting new Yandex account users to the organization. This policy must be assigned to an organization. |
|
|
Prohibits viewing the list of organization users. This policy must be assigned to an organization. |