Creating an access policy for a resource
Note
This feature is in the Preview stage. To get access, contact tech support or your account manager.
Access policies are a Yandex Identity and Access Management mechanism that allows you to manage permissions for specific operations with Yandex Cloud resources. Access policies are based on templates and complement the role system for more flexible access management.
You can create an access policy for a folder, cloud, or organization.
Note
To manage access policies, a user must have one of the following roles:
resource-manager.adminoradminfor the folder or cloud to manage access policies at the folder or cloud level, respectively.organization-manager.adminoradminfor the organization to manage access policies at the organization level.
Creating an access policy for a folder
To create a folder access policy from a template without additional parameters:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
-
Get a list of supported access policy templates with their IDs.
-
Run this command:
yc resource-manager folder bind-access-policy \ --name <folder_name> \ --access-policy-template-id=<policy_template_ID>Where:
--name: Name of the folder to create the policy for. Instead of the folder name, you can provide its ID in the--idparameter.--access-policy-template-id: ID of the template to use as the basis for the new access policy for the folder.
-
Make sure the policy was created.
Use the bindAccessPolicy REST API method for the Folder resource or the FolderService/BindAccessPolicy gRPC API call.
The created access policy will apply to all resources in the specified folder.
Creating an access policy for a cloud
To create an access policy for a cloud based on a template without additional parameters:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
-
Get a list of supported access policy templates with their IDs.
-
Run this command:
yc resource-manager cloud bind-access-policy \ --name <cloud_name> \ --access-policy-template-id=<policy_template_ID>Where:
--name: Name of the cloud to create the policy for. Instead of the cloud name, you can provide its ID in the--idparameter.--access-policy-template-id: ID of the template to use as the basis for the new access policy for the cloud.
-
Make sure the policy was created.
Use the bindAccessPolicy REST API method for the Cloud resource or the CloudService/BindAccessPolicy gRPC API call.
The new access policy will apply to resources within all folders in the specified cloud.
Creating an access policy for an organization
To create an access policy for an organization based on a template without optional parameters:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
-
Get a list of supported access policy templates with their IDs.
-
Run this command:
yc organization-manager organization bind-access-policy \ --name <organization_name> \ --access-policy-template-id=<policy_template_ID>Where:
--name: Name of the organization you want to create a policy for. Instead of the organization name, you can provide its ID in the--idparameter.--access-policy-template-id: ID of the template you want to use as the basis for the new access policy for the organization.
-
Make sure the policy was created.
Use the bindAccessPolicy REST API method for the Organization resource or the OrganizationService/BindAccessPolicy gRPC API call.
The new access policy will apply to resources within all clouds in the specified organization.
All access policy templates without additional parameters are assigned for resources in the same way. For information on how to assign a policy template with additional parameters for a resource, see Examples.
Examples
Creating the serverless.restrictPrivateNetworkInvocation policy for a folder
The serverless.restrictPrivateNetworkInvocation policy limits calling functions and containers from Yandex Virtual Private Cloud's private IP addresses to explicitly specified cloud networks or specific IP addresses within them.
Note
The serverless.restrictPrivateNetworkInvocation policy requires an active service connection from Yandex Cloud Functions and Yandex Serverless Containers to Yandex Virtual Private Cloud.
To assign the serverless.restrictPrivateNetworkInvocation policy template for a folder:
No IP-based restriction
yc resource-manager folder bind-access-policy \
--name "my-folder" \
--access-policy-template-id=serverless.restrictPrivateNetworkInvocation \
--parameters '"allowed_vpc_network_ids=[<network_1_ID>,<network_2_ID>,<network_3_ID>]","src_ip_restricted_network_ids=[]","allowed_src_ips=[]"'
Where allowed_vpc_network_ids is a list of cloud network IDs from which you can call functions and containers. Function and container calls will be allowed from any IP addresses within the subnets forming part of the specified cloud networks. In addition, there must be a cloud network from the mentioned list linked to the function/container.
You can provide a zero value for this parameter; in which case you must set an IP-based restriction in src_ip_restricted_network_ids and allowed_src_ips.
After you apply the policy in my-folder, you will only be able to use the private IP addresses to call those functions/containers that have linked cloud networks with the following IDs: <network_1_ID>, <network_2_ID>, and <network_3_ID>, and only from the IP addresses of the subnets belonging to those cloud networks.
With an IP-based restriction
yc resource-manager folder bind-access-policy \
--name "my-folder" \
--access-policy-template-id=serverless.restrictPrivateNetworkInvocation \
--parameters '"allowed_vpc_network_ids=[]","src_ip_restricted_network_ids=[<network_1_ID>,<network_2_ID>,<network_3_ID>]","allowed_src_ips=[10.1.2.0/24,172.16.17.0/28,192.168.1.2/32]"'
Where:
-
src_ip_restricted_network_idsis a list of cloud network IDs from which you can call functions and containers, with an additional restrictions on allowed IP addresses. Function and container calls will be allowed from specific IP addresses belonging to specified cloud networks and explicitly named inallowed_src_ips. In addition, there must be a cloud network from the mentioned list linked to the function/container. -
allowed_src_ipsis a list of private IP addresses or IP address ranges in CIDR notation you can call functions and containers from.These IP addresses must belong to the cloud networks specified in
src_ip_restricted_network_ids.
After you apply the policy in my-folder, you will only be able to use the private IP addresses to call those functions/containers that have linked cloud networks with the following IDs: <network_ID_1>, <network_ID_2>, and <network_ID_3>, and only from the IP addresses that belong to those cloud networks and the 10.1.2.0/24, 172.16.17.0/28, and 192.168.1.2/32 ranges at the same time.
Note
If allowed_vpc_network_ids has a non-zero value, the list of IP addresses specified by src_ip_restricted_network_ids and allowed_src_ips will be ignored.
Creating the serverless.restrictPublicInvocation policy for a folder
The serverless.restrictPublicInvocation policy restricts the ability to call functions and containers from public IP addresses.
To assign the serverless.restrictPublicInvocation policy template for a folder:
yc resource-manager folder bind-access-policy \
--name "my-folder" \
--access-policy-template-id=serverless.restrictPublicInvocation \
--parameters '"allowed_src_ips=[198.51.100.104/29,192.0.2.4/30]"'
Where allowed_src_ip is a list of public IP addresses or IP address ranges in CIDR notation you can call functions and containers from.
After you apply the policy in my-folder using public IP addresses, you will be able to call functions/containers only from the IP addresses belonging to the 198.51.100.104/29 and 192.0.2.4/30 ranges.