Assigning an access policy
Note
This feature is in the Preview stage. To get access, contact tech support or your account manager.
Access policies are a Yandex Identity and Access Management mechanism that allows you to manage permissions for specific operations with Yandex Cloud resources. Access policies complement the role system for more flexible access management.
You can assign an access policy for a folder, cloud, or organization.
Note
To manage access policies, a user must have one of the following roles:
resource-manager.adminoradminfor the folder or cloud to manage access policies at the folder or cloud level, respectively.organization-manager.adminoradminfor the organization to manage access policies at the organization level.
Assigning an access policy for a folder
To assign an access policy for a folder:
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
-
Get a list of supported access policies with their IDs.
-
Run this command:
yc resource-manager folder bind-access-policy \ --name <folder_name> \ --access-policy-template-id=<access_policy_ID>Where:
--name: Name of the folder to assign the policy for. Instead of the folder name, you can provide its ID in the--idparameter.--access-policy-template-id: ID of the access policy to assign for the folder.
-
Make sure the policy was assigned.
Use the bindAccessPolicy REST API method for the Folder resource or the FolderService/BindAccessPolicy gRPC API call.
The assigned access policy will apply to all resources in the specified folder.
Assigning an access policy for a cloud
To assign an access policy for a cloud, follow these steps:
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
-
Get a list of supported access policies with their IDs.
-
Run this command:
yc resource-manager cloud bind-access-policy \ --name <cloud_name> \ --access-policy-template-id=<access_policy_ID>Where:
--name: Name of the cloud you want to assign the access policy for. Instead of the cloud name, you can provide its ID in the--idparameter.--access-policy-template-id: ID of the access policy you want to assign for the cloud.
-
Make sure the policy was assigned.
Use the bindAccessPolicy REST API method for the Cloud resource or the CloudService/BindAccessPolicy gRPC API call.
The assigned access policy will apply to resources within all folders in the specified cloud.
Assigning an access policy for an organization
To assign an access policy for an organization:
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
-
Get a list of supported access policies with their IDs.
-
Run this command:
yc organization-manager organization bind-access-policy \ --name <organization_name> \ --access-policy-template-id=<access_policy_ID>Where:
--name: Name of the organization you want to assign the policy to. Instead of the organization name, you can provide its ID in the--idparameter.--access-policy-template-id: ID of the access policy you want to assign to the specified organization.
-
Make sure the policy was assigned.
Use the bindAccessPolicy REST API method for the Organization resource or the OrganizationService/BindAccessPolicy gRPC API call.
The assigned access policy will apply to resources within all clouds in the specified organization.