Service access to user resources
Note
This feature is in the Preview stage.
Yandex Cloud comprises multiple services. Some of these services may need access to various resources in a user cloud to perform certain tasks. For example, to manage DB connections, Yandex Connection Manager requires permissions to create and manage Yandex Lockbox secrets in a user cloud.
Yandex Identity and Access Management allows you to manage service access to resources in a user cloud by enabling or disabling the relevant services.
Service control is the whole of the access permissions needed to create and operate the service's resources in the user's cloud. Such access permissions are assigned to special service accounts, service agents, which the service uses to access user resources in a cloud.
Service status
Yandex Cloud services may have one of the following statuses:
-
DEFAULT: Default status.The service has no service agents. However, if you try to run an operation that requires access to other resources in a user cloud (e.g., create a connection in Yandex Connection Manager), the service agents will be automatically created and the service status will change to
ENABLED. -
ENABLED: Service enabled. Its service agents have been created, and the service has access to resources in a user cloud.When the status of a service in a cloud changes to
ENABLED, its service agents are created automatically. Such service agents have the required permissions to manage user resources in that cloud. -
DISABLED: Service disabled. It has no service agents and no access to resources in a user cloud.When a service in a cloud changes its status to
DISABLED, its service agents are automatically deleted.
Service agents
Service agents are dedicated system service accounts which belong to specific services in a user cloud and provide such services with access to resources in that cloud. The number of service agents and the exact access permissions granted to them depend on the service they belong to.
Note
Currently, you cannot view or change the roles granted to service agents by default. You will be able to do this going forward.
Service agents are created in a dedicated system folder in a user cloud. That folder is managed by the system, and no user can access it even if they have the administrator or cloud owner role.
A service agent has permissions to manage resources only in the cloud where it was created.
The user cannot directly create, delete, or assign roles to service agents. All the required service agents with the appropriate access permissions are automatically created when you enable a service and get deleted when you disable it. When a service is re-enabled, it gets new service agents with new IDs.
If a service has resources with access to the other resources in the user cloud, you cannot disable this service. To disable such a service, first delete all the service resources that have access to the other resources in this user cloud.
If you disable a service in a user cloud, this service will still be running, but its resources will not be able to access the other resources in that cloud.
What services can I manage in terms of access?
Currently you can manage the following services in terms of access:
| Service | ID |
|---|---|
| Yandex Compute Cloud: Disk encryption | disk-encryption |
| Yandex DataSphere | datasphere |
| Yandex MetaData Hub: Connection Manager | connection-manager |
| Yandex Security Deck: Data Security Posture Management (DSPM) | dspm |
| Yandex WebSQL | websql |
Moving forward, cloud administrators will be able to manage access of all the services that require permissions for actions with resources in Yandex Cloud. With CLI, you can get an up-to-date list of services whose access you can manage.
Service access to resources can be managed by users with the admin or owner roles for the cloud.