Access policies
Note
This feature is in the Preview stage. To get access, contact tech support
Access policies are a Yandex Identity and Access Management mechanism that allows you to manage permissions for performing specific operations on Yandex Cloud resources. Access policies complement the role system for more flexible access management.
Access policies for resources are created based on access policy templates.
Relationships between access policies and roles
Access policies enforce explicit restrictions, unlike roles, which grant explicit permissions. The relationships between access policies and roles are as follows:
-
To perform an operation, it must be allowed by a role and not prohibited by an access policy. Access permissions are checked in the following order:
- The system checks if the user is assigned a role required to perform the operation. If they have no such role, the operation is denied without any further checks.
- If the user has the required role, the system checks access policies for an explicit restriction to perform the operation and denies or allows the operation accordingly.
-
Access policies do not replace roles, but add an extra layer of access control. Users still need relevant roles for operations, regardless of the access policies in place.
-
To manage access policies, a user must have one of the following roles:
resource-manager.adminoradminfor the folder or cloud to manage access policies at the folder or cloud level, respectively.organization-manager.adminoradminfor the organization to manage access policies at the organization level.
Resources that take access policies
You can create access policies for the following resources:
- Organization: Access policy applies to resources in all clouds and folders within an organization.
- Cloud: Access policy applies to resources in all folders within a cloud.
- Folder: Access policy applies only to resources within a specific folder.
Access policies created at higher levels of the Yandex Cloud resource hierarchy are inherited by lower-level resources.
You can create several access policies for one resource at the same time.
Access policy templates
Some access policy templates require you to specify parameters when assigned to a resource; others do not.
Templates without parameters
The following access policy templates do not contain parameters and unconditionally restrict relevant actions:
- backup.denyActivation
- backup.denyRemoveProtection
- iam.denyServiceAccountAccessKeysCreation
- iam.denyServiceAccountApiKeysCreation
- iam.denyServiceAccountAuthorizedKeysCreation
- iam.denyServiceAccountCreation
- iam.denyServiceAccountCredentialsCreation
- iam.denyServiceAccountFederatedCredentialsCreation
- iam.denyServiceAccountImpersonation
- organization.denyMemberInvitation
- organization.denyUserListing
- resourceManager.denyCloudRemoval
backup.denyActivation
This policy prohibits connecting protected resources to Yandex Cloud Backup, linking or unlinking them from backup policies.
backup.denyRemoveProtection
This policy prohibits updating or deleting Yandex Cloud Backup policies, removing resources from such policies, and deleting any existing resource backups.
iam.denyServiceAccountAccessKeysCreation
This policy prohibits creating static access keys for service accounts.
iam.denyServiceAccountApiKeysCreation
This policy prohibits creating API keys for service accounts.
iam.denyServiceAccountAuthorizedKeysCreation
This policy prohibits creating authorized keys for service accounts.
iam.denyServiceAccountCreation
This policy prohibits creating service accounts.
iam.denyServiceAccountCredentialsCreation
This policy prohibits the following:
- Creating any credentials for service accounts (except IAM tokens).
- Associating service accounts with workload identity federations.
iam.denyServiceAccountFederatedCredentialsCreation
This policy prohibits associating service accounts with workload identity federations.
iam.denyServiceAccountImpersonation
This policy prohibits impersonation.
organization.denyMemberInvitation
This policy prohibits inviting new Yandex account users to the organization. The policy can be created only for an organization.
organization.denyUserListing
This policy prohibits viewing the list of organization users. The policy can be created only for an organization.
resourceManager.denyCloudRemoval
This policy prohibits deleting clouds in Yandex Cloud:
- If the policy is created for an organization, the prohibition applies to all clouds in that organization.
- If the policy is created for a cloud, the prohibition only applies to that cloud.
- If the policy is created for a folder, no prohibition applies.
Templates with parameters
The following access policy templates allow their restrictions to be customized by parameters:
Tip
For more information on how to create access policies based on templates with parameters, see Creating an access policy for a resource.
- serverless.containers.restrictNetworkAccess
- serverless.containers.restrictResourceVPCNetwork
- serverless.functions.restrictNetworkAccess
- serverless.functions.restrictResourceVPCNetwork
- serverless.mcpGateways.restrictNetworkAccess
- serverless.mcpGateways.restrictResourceVPCNetwork
- serverless.responses.restrictNetworkAccess
- serverless.workflows.restrictNetworkAccess
- serverless.workflows.restrictResourceVPCNetwork
serverless.containers.restrictNetworkAccess
The policy prohibits calling and managing Yandex Serverless Containers containers from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud cloud networks.
Customizable parameters (applied using the OR logic):
allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation you can call and manage containers from.allowed_vpc_network_ids: List of IDs of cloud networks that allow calling and managing containers via the configured service connection.
serverless.containers.restrictResourceVPCNetwork
The policy prohibits binding any cloud networks to Yandex Serverless Containers containers except the networks explicitly specified.
A customizable parameter:
allowed_vpc_network_ids: List of IDs of cloud networks that can be bound to the containers.
serverless.functions.restrictNetworkAccess
The policy prohibits calling and managing Yandex Cloud Functions functions from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud cloud networks.
Customizable parameters (applied using the OR logic):
allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation you can call and manage functions from.allowed_vpc_network_ids: List of IDs of cloud networks that allow calling and managing functions via the configured service connection.
serverless.functions.restrictResourceVPCNetwork
The policy prohibits binding any cloud networks to Yandex Cloud Functions functions except the networks explicitly specified.
A customizable parameter:
allowed_vpc_network_ids: List of IDs of cloud networks that can be bound to the functions.
serverless.mcpGateways.restrictNetworkAccess
The policy prohibits calling and managing MCP Hub MCP servers
Customizable parameters (applied using the OR logic):
allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation you can call and manage MCP servers from.allowed_vpc_network_ids: List of IDs of cloud networks that allow calling and managing MCP servers via the configured service connection.
serverless.mcpGateways.restrictResourceVPCNetwork
The policy prohibits binding any cloud networks to MCP Hub MCP servers
A customizable parameter:
allowed_vpc_network_ids: List of IDs of cloud networks that can be bound to the MCP servers.
serverless.responses.restrictNetworkAccess
The policy prohibits calling Yandex Cloud AI Studio Responses API
Customizable parameters (applied using the OR logic):
allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation you can call Responses API methods.allowed_vpc_network_ids: List of IDs of cloud networks that allow calling Responses API methods via the configured service connection.
serverless.workflows.restrictNetworkAccess
The policy prohibits executing Yandex Serverless Integrations workflows from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud cloud networks.
Customizable parameters (applied using the OR logic):
allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation you can execute and manage workflows from.allowed_vpc_network_ids: List of IDs of cloud networks that allow executing and managing workflows via the configured service connection.
serverless.workflows.restrictResourceVPCNetwork
The policy prohibits binding any cloud networks to Yandex Serverless Integrations workflows except the networks explicitly specified.
A customizable parameter:
allowed_vpc_network_ids: List of IDs of cloud networks that can be bound to the workflows.