Yandex Cloud
Search
Discuss with expertTry it for free
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
  • Marketplace
    • Featured
    • Infrastructure & Network
    • Data Platform
    • AI for business
    • Security
    • DevOps tools
    • Serverless
    • Monitoring & Resources
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
    • Price calculator
    • Pricing plans
  • Customer Stories
  • Documentation
  • Blog
© 2026 Direct Cursus Technology L.L.C.
Yandex Identity and Access Management
    • All guides
    • Handling secrets that are available in the public domain
    • Users
    • User groups
      • Getting a list of supported policy templates
      • Creating a policy for a resource
      • Viewing policies created for a resource
      • Delete policy
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Creating an access policy for a folder
  • Creating an access policy for a cloud
  • Creating an access policy for an organization
  • Examples
  • Creating an access policy for a folder based on the serverless.containers.restrictNetworkAccess template
  1. Step-by-step guides
  2. Access policies
  3. Creating a policy for a resource

Creating an access policy for a resource

Written by
Yandex Cloud
Updated at July 8, 2026
View in Markdown
  • Creating an access policy for a folder
  • Creating an access policy for a cloud
  • Creating an access policy for an organization
  • Examples
    • Creating an access policy for a folder based on the serverless.containers.restrictNetworkAccess template

Note

This feature is in the Preview stage. To get access, contact tech support or your account manager.

Access policies are a Yandex Identity and Access Management mechanism that allows you to manage permissions for specific operations with Yandex Cloud resources. Access policies are based on templates and complement the role system for more flexible access management.

You can create an access policy for a folder, cloud, or organization.

Note

To manage access policies, a user must have one of the following roles:

  • resource-manager.admin or admin for the folder or cloud to manage access policies at the folder or cloud level, respectively.
  • organization-manager.admin or admin for the organization to manage access policies at the organization level.

Creating an access policy for a folderCreating an access policy for a folder

To create a folder access policy from a template without parameters:

CLI
API

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. Get a list of supported access policy templates with their IDs.

  2. Run this command:

    yc resource-manager folder bind-access-policy \
      --name <folder_name> \
      --access-policy-template-id=<policy_template_ID>
    

    Where:

    • --name: Name of the folder to create the policy for. Instead of the folder name, you can provide its ID in the --id parameter.
    • --access-policy-template-id: ID of the template to use as the basis for the new access policy for the folder.
  3. Make sure the policy was created.

Use the bindAccessPolicy REST API method for the Folder resource or the FolderService/BindAccessPolicy gRPC API call.

The created access policy will apply to all resources in the specified folder.

Creating an access policy for a cloudCreating an access policy for a cloud

To create an access policy for a cloud based on a template without parameters:

CLI
API

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. Get a list of supported access policy templates with their IDs.

  2. Run this command:

    yc resource-manager cloud bind-access-policy \
      --name <cloud_name> \
      --access-policy-template-id=<policy_template_ID>
    

    Where:

    • --name: Name of the cloud to create the policy for. Instead of the cloud name, you can provide its ID in the --id parameter.
    • --access-policy-template-id: ID of the template to use as the basis for the new access policy for the cloud.
  3. Make sure the policy was created.

Use the bindAccessPolicy REST API method for the Cloud resource or the CloudService/BindAccessPolicy gRPC API call.

The new access policy will apply to resources within all folders in the specified cloud.

Creating an access policy for an organizationCreating an access policy for an organization

To create an access policy for an organization based on a template without parameters:

CLI
API

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. Get a list of supported access policy templates with their IDs.

  2. Run this command:

    yc organization-manager organization bind-access-policy \
      --name <organization_name> \
      --access-policy-template-id=<policy_template_ID>
    

    Where:

    • --name: Name of the organization you want to create a policy for. Instead of the organization name, you can provide its ID in the --id parameter.
    • --access-policy-template-id: ID of the template you want to use as the basis for the new access policy for the organization.
  3. Make sure the policy was created.

Use the bindAccessPolicy REST API method for the Organization resource or the OrganizationService/BindAccessPolicy gRPC API call.

The new access policy will apply to resources within all clouds in the specified organization.

All access policy templates without parameters are assigned for resources in the same way. For information on how to assign a policy template with parameters for a resource, see Examples.

ExamplesExamples

Creating an access policy for a folder based on the serverless.containers.restrictNetworkAccess templateCreating an access policy for a folder based on the serverless.containers.restrictNetworkAccess template

The serverless.containers.restrictNetworkAccess policy prohibits calling and managing Yandex Serverless Containers containers from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud cloud networks.

To assign the serverless.containers.restrictNetworkAccess policy template for a folder:

CLI
yc resource-manager folder bind-access-policy \
  --name my-folder \
  --access-policy-template-id=serverless.containers.restrictNetworkAccess \
  --parameters '"allowed_src_ips=[<IP_address_range_1>,<IP_address_range_2>,<IP_address_range_3>]","allowed_vpc_network_ids=[<network_1_ID>,<network_2_ID>,<network_3_ID>]"'

Where:

  • --parameters: Access policy parameters:

    Alert

    Restrictions specified in parameters are applied using the OR logic.

    • allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation to allow calling and managing containers.

      If you do not want to list IP addresses or IP address ranges, provide an empty list in the parameter: "allowed_src_ips=[]".

    • allowed_vpc_network_ids: List of IDs of cloud networks that allow calling and managing containers via a configured service connection.

      If you do not want to list cloud network IDs, provide an empty list in the parameter: "allowed_vpc_network_ids=[]".

Useful linksUseful links

  • Access policies
  • Getting a list of supported access policy templates
  • Viewing access policies created for a resource
  • Deleting an access policy

Was the article helpful?

Previous
Getting a list of supported policy templates
Next
Viewing policies created for a resource
© 2026 Direct Cursus Technology L.L.C.