Yandex Cloud
Search
Discuss with expertTry it for free
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
  • Marketplace
    • Featured
    • Infrastructure & Network
    • Data Platform
    • AI for business
    • Security
    • DevOps tools
    • Serverless
    • Monitoring & Resources
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
    • Price calculator
    • Pricing plans
  • Customer Stories
  • Documentation
  • Blog
© 2026 Direct Cursus Technology L.L.C.
Yandex Identity and Access Management
    • Overview
      • Overview
      • Roles
      • Access policies
      • System groups
      • Public groups
      • Resources that roles can be assigned for
      • Impersonation
    • Service access to user resources
    • Identity federations
    • Workload identity federations
    • Quotas and limits
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Relationships between access policies and roles
  • Resources that take access policies
  • Access policy templates
  • Templates without parameters
  • Templates with parameters
  1. Concepts
  2. How access management works
  3. Access policies

Access policies

Written by
Yandex Cloud
Updated at July 8, 2026
View in Markdown
  • Relationships between access policies and roles
  • Resources that take access policies
  • Access policy templates
    • Templates without parameters
    • Templates with parameters

Note

This feature is in the Preview stage. To get access, contact tech support or your account manager.

Access policies are a Yandex Identity and Access Management mechanism that allows you to manage permissions for performing specific operations on Yandex Cloud resources. Access policies complement the role system for more flexible access management.

Access policies for resources are created based on access policy templates.

Relationships between access policies and rolesRelationships between access policies and roles

Access policies enforce explicit restrictions, unlike roles, which grant explicit permissions. The relationships between access policies and roles are as follows:

  • To perform an operation, it must be allowed by a role and not prohibited by an access policy. Access permissions are checked in the following order:

    1. The system checks if the user is assigned a role required to perform the operation. If they have no such role, the operation is denied without any further checks.
    2. If the user has the required role, the system checks access policies for an explicit restriction to perform the operation and denies or allows the operation accordingly.
  • Access policies do not replace roles, but add an extra layer of access control. Users still need relevant roles for operations, regardless of the access policies in place.

  • To manage access policies, a user must have one of the following roles:

    • resource-manager.admin or admin for the folder or cloud to manage access policies at the folder or cloud level, respectively.
    • organization-manager.admin or admin for the organization to manage access policies at the organization level.

Resources that take access policiesResources that take access policies

You can create access policies for the following resources:

  • Organization: Access policy applies to resources in all clouds and folders within an organization.
  • Cloud: Access policy applies to resources in all folders within a cloud.
  • Folder: Access policy applies only to resources within a specific folder.

Access policies created at higher levels of the Yandex Cloud resource hierarchy are inherited by lower-level resources.

You can create several access policies for one resource at the same time.

Access policy templatesAccess policy templates

Some access policy templates require you to specify parameters when assigned to a resource; others do not.

Templates without parametersTemplates without parameters

The following access policy templates do not contain parameters and unconditionally restrict relevant actions:

  • backup.denyActivation
  • backup.denyRemoveProtection
  • iam.denyServiceAccountAccessKeysCreation
  • iam.denyServiceAccountApiKeysCreation
  • iam.denyServiceAccountAuthorizedKeysCreation
  • iam.denyServiceAccountCreation
  • iam.denyServiceAccountCredentialsCreation
  • iam.denyServiceAccountFederatedCredentialsCreation
  • iam.denyServiceAccountImpersonation
  • organization.denyMemberInvitation
  • organization.denyUserListing
  • resourceManager.denyCloudRemoval

backup.denyActivationbackup.denyActivation

This policy prohibits connecting protected resources to Yandex Cloud Backup, linking or unlinking them from backup policies.

backup.denyRemoveProtectionbackup.denyRemoveProtection

This policy prohibits updating or deleting Yandex Cloud Backup policies, removing resources from such policies, and deleting any existing resource backups.

iam.denyServiceAccountAccessKeysCreationiam.denyServiceAccountAccessKeysCreation

This policy prohibits creating static access keys for service accounts.

iam.denyServiceAccountApiKeysCreationiam.denyServiceAccountApiKeysCreation

This policy prohibits creating API keys for service accounts.

iam.denyServiceAccountAuthorizedKeysCreationiam.denyServiceAccountAuthorizedKeysCreation

This policy prohibits creating authorized keys for service accounts.

iam.denyServiceAccountCreationiam.denyServiceAccountCreation

This policy prohibits creating service accounts.

iam.denyServiceAccountCredentialsCreationiam.denyServiceAccountCredentialsCreation

This policy prohibits the following:

  • Creating any credentials for service accounts (except IAM tokens).
  • Associating service accounts with workload identity federations.

iam.denyServiceAccountFederatedCredentialsCreationiam.denyServiceAccountFederatedCredentialsCreation

This policy prohibits associating service accounts with workload identity federations.

iam.denyServiceAccountImpersonationiam.denyServiceAccountImpersonation

This policy prohibits impersonation.

organization.denyMemberInvitationorganization.denyMemberInvitation

This policy prohibits inviting new Yandex account users to the organization. The policy can be created only for an organization.

organization.denyUserListingorganization.denyUserListing

This policy prohibits viewing the list of organization users. The policy can be created only for an organization.

resourceManager.denyCloudRemovalresourceManager.denyCloudRemoval

This policy prohibits deleting clouds in Yandex Cloud:

  • If the policy is created for an organization, the prohibition applies to all clouds in that organization.
  • If the policy is created for a cloud, the prohibition only applies to that cloud.
  • If the policy is created for a folder, no prohibition applies.

Templates with parametersTemplates with parameters

The following access policy templates allow their restrictions to be customized by parameters:

Tip

For more information on how to create access policies based on templates with parameters, see Creating an access policy for a resource.

  • serverless.containers.restrictNetworkAccess
  • serverless.containers.restrictResourceVPCNetwork
  • serverless.functions.restrictNetworkAccess
  • serverless.functions.restrictResourceVPCNetwork
  • serverless.mcpGateways.restrictNetworkAccess
  • serverless.mcpGateways.restrictResourceVPCNetwork
  • serverless.responses.restrictNetworkAccess
  • serverless.workflows.restrictNetworkAccess
  • serverless.workflows.restrictResourceVPCNetwork

serverless.containers.restrictNetworkAccessserverless.containers.restrictNetworkAccess

The policy prohibits calling and managing Yandex Serverless Containers containers from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud cloud networks.

Customizable parameters (applied using the OR logic):

  • allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation you can call and manage containers from.
  • allowed_vpc_network_ids: List of IDs of cloud networks that allow calling and managing containers via the configured service connection.

serverless.containers.restrictResourceVPCNetworkserverless.containers.restrictResourceVPCNetwork

The policy prohibits binding any cloud networks to Yandex Serverless Containers containers except the networks explicitly specified.

A customizable parameter:

  • allowed_vpc_network_ids: List of IDs of cloud networks that can be bound to the containers.

serverless.functions.restrictNetworkAccessserverless.functions.restrictNetworkAccess

The policy prohibits calling and managing Yandex Cloud Functions functions from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud cloud networks.

Customizable parameters (applied using the OR logic):

  • allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation you can call and manage functions from.
  • allowed_vpc_network_ids: List of IDs of cloud networks that allow calling and managing functions via the configured service connection.

serverless.functions.restrictResourceVPCNetworkserverless.functions.restrictResourceVPCNetwork

The policy prohibits binding any cloud networks to Yandex Cloud Functions functions except the networks explicitly specified.

A customizable parameter:

  • allowed_vpc_network_ids: List of IDs of cloud networks that can be bound to the functions.

serverless.mcpGateways.restrictNetworkAccessserverless.mcpGateways.restrictNetworkAccess

The policy prohibits calling and managing MCP Hub MCP servers from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud cloud networks.

Customizable parameters (applied using the OR logic):

  • allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation you can call and manage MCP servers from.
  • allowed_vpc_network_ids: List of IDs of cloud networks that allow calling and managing MCP servers via the configured service connection.

serverless.mcpGateways.restrictResourceVPCNetworkserverless.mcpGateways.restrictResourceVPCNetwork

The policy prohibits binding any cloud networks to MCP Hub MCP servers except the networks explicitly specified.

A customizable parameter:

  • allowed_vpc_network_ids: List of IDs of cloud networks that can be bound to the MCP servers.

serverless.responses.restrictNetworkAccessserverless.responses.restrictNetworkAccess

The policy prohibits calling Yandex Cloud AI Studio Responses API methods from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud cloud networks.

Customizable parameters (applied using the OR logic):

  • allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation you can call Responses API methods.
  • allowed_vpc_network_ids: List of IDs of cloud networks that allow calling Responses API methods via the configured service connection.

serverless.workflows.restrictNetworkAccessserverless.workflows.restrictNetworkAccess

The policy prohibits executing Yandex Serverless Integrations workflows from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud cloud networks.

Customizable parameters (applied using the OR logic):

  • allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation you can execute and manage workflows from.
  • allowed_vpc_network_ids: List of IDs of cloud networks that allow executing and managing workflows via the configured service connection.

serverless.workflows.restrictResourceVPCNetworkserverless.workflows.restrictResourceVPCNetwork

The policy prohibits binding any cloud networks to Yandex Serverless Integrations workflows except the networks explicitly specified.

A customizable parameter:

  • allowed_vpc_network_ids: List of IDs of cloud networks that can be bound to the workflows.

Useful linksUseful links

  • Roles
  • Getting a list of supported access policy templates
  • Creating an access policy for a resource
  • Viewing access policies created for a resource
  • Deleting an access policy

Was the article helpful?

Previous
Roles
Next
System groups
© 2026 Direct Cursus Technology L.L.C.