Creating an access policy for a resource
Note
This feature is in the Preview stage. To get access, contact tech support
Access policies are a Yandex Identity and Access Management mechanism that allows you to manage permissions for specific operations with Yandex Cloud resources. Access policies are based on templates and complement the role system for more flexible access management.
You can create an access policy for a folder, cloud, or organization.
Note
To manage access policies, a user must have one of the following roles:
resource-manager.adminoradminfor the folder or cloud to manage access policies at the folder or cloud level, respectively.organization-manager.adminoradminfor the organization to manage access policies at the organization level.
Creating an access policy for a folder
To create a folder access policy from a template without parameters:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
-
Get a list of supported access policy templates with their IDs.
-
Run this command:
yc resource-manager folder bind-access-policy \ --name <folder_name> \ --access-policy-template-id=<policy_template_ID>Where:
--name: Name of the folder to create the policy for. Instead of the folder name, you can provide its ID in the--idparameter.--access-policy-template-id: ID of the template to use as the basis for the new access policy for the folder.
-
Make sure the policy was created.
Use the bindAccessPolicy REST API method for the Folder resource or the FolderService/BindAccessPolicy gRPC API call.
The created access policy will apply to all resources in the specified folder.
Creating an access policy for a cloud
To create an access policy for a cloud based on a template without parameters:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
-
Get a list of supported access policy templates with their IDs.
-
Run this command:
yc resource-manager cloud bind-access-policy \ --name <cloud_name> \ --access-policy-template-id=<policy_template_ID>Where:
--name: Name of the cloud to create the policy for. Instead of the cloud name, you can provide its ID in the--idparameter.--access-policy-template-id: ID of the template to use as the basis for the new access policy for the cloud.
-
Make sure the policy was created.
Use the bindAccessPolicy REST API method for the Cloud resource or the CloudService/BindAccessPolicy gRPC API call.
The new access policy will apply to resources within all folders in the specified cloud.
Creating an access policy for an organization
To create an access policy for an organization based on a template without parameters:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
-
Get a list of supported access policy templates with their IDs.
-
Run this command:
yc organization-manager organization bind-access-policy \ --name <organization_name> \ --access-policy-template-id=<policy_template_ID>Where:
--name: Name of the organization you want to create a policy for. Instead of the organization name, you can provide its ID in the--idparameter.--access-policy-template-id: ID of the template you want to use as the basis for the new access policy for the organization.
-
Make sure the policy was created.
Use the bindAccessPolicy REST API method for the Organization resource or the OrganizationService/BindAccessPolicy gRPC API call.
The new access policy will apply to resources within all clouds in the specified organization.
All access policy templates without parameters are assigned for resources in the same way. For information on how to assign a policy template with parameters for a resource, see Examples.
Examples
Creating an access policy for a folder based on the serverless.containers.restrictNetworkAccess template
The serverless.containers.restrictNetworkAccess policy prohibits calling and managing Yandex Serverless Containers containers from any addresses except explicitly specified IP addresses or Yandex Virtual Private Cloud cloud networks.
To assign the serverless.containers.restrictNetworkAccess policy template for a folder:
yc resource-manager folder bind-access-policy \
--name my-folder \
--access-policy-template-id=serverless.containers.restrictNetworkAccess \
--parameters '"allowed_src_ips=[<IP_address_range_1>,<IP_address_range_2>,<IP_address_range_3>]","allowed_vpc_network_ids=[<network_1_ID>,<network_2_ID>,<network_3_ID>]"'
Where:
-
--parameters: Access policy parameters:Alert
Restrictions specified in parameters are applied using the
ORlogic.-
allowed_src_ips: List of IP addresses or IP address ranges in CIDR notation to allow calling and managing containers.If you do not want to list IP addresses or IP address ranges, provide an empty list in the parameter:
"allowed_src_ips=[]". -
allowed_vpc_network_ids: List of IDs of cloud networks that allow calling and managing containers via a configured service connection.If you do not want to list cloud network IDs, provide an empty list in the parameter:
"allowed_vpc_network_ids=[]".
-