Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Assigning roles

Written by
Updated at November 14, 2024

To grant access to a resource, assign a role for it. You can assign a role to:

You can assign a role not only for the resource itself but also for its parent resource, as the former inherits access permissions from the latter. For example, if a service account gets a role for a cloud, it will also get permissions for all resources across the cloud's folders. For more information, see How access management works in Yandex Cloud.

Learn which resources you can assign a role for.

To select roles, look them up in the role reference.

Assigning a role for a cloud

  1. In the management console, select the cloud or folder.
  2. Go to the Access bindings tab.
  3. Click Configure access.
  4. Select the group, user, or service account you want to grant access to a cloud or folder.
  5. Click Add role and select the required roles.
  6. Click Save.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign a role for a cloud or folder:

  1. See the description of the CLI role assignment command:

    yc resource-manager <cloud_or_folder> add-access-binding --help

    Specify cloud for a cloud or folder for a folder.

  2. Get a list of available clouds or folders with their IDs:

    yc resource-manager <cloud_or_folder> list

  3. Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.

  4. Use one of these commands to assign a role:

    • To a Yandex account user:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --user-account-id <user_ID>

    • To a federated user:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --subject federatedUser:<user_ID>

    • To a service account:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --service-account-id <service_account_ID>

    • To a user group:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --subject group:<group_ID>

    • To all users of an organization:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --organization-users <organization_ID>

    • To all users of an identity federation:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --federation-users <federation_ID>

To assign a role for a cloud, use the updateAccessBindings REST API method for the Cloud resource or the CloudService/UpdateAccessBindings gRPC API call.

To assign a role for a folder, use the updateAccessBindings REST API method for the Folder resource or the FolderService/UpdateAccessBindings gRPC API call.

Provide the following in the request:

  • ADD value in the accessBindingDeltas[].action parameter to add a role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.type parameter.

Assigning a role for an organization

To grant access permissions for an organization, you need the organization-manager.admin role or higher. To learn more about the role sequence, see the Yandex Cloud Organization document.

To assign a role for an organization:

  1. Log in to Yandex Cloud Organization using an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. If the user, service account, or user group you need already has at least one role assigned, click in the row with that user, service account, or group and select Assign bindings.

    If the user, service account, or user group is not on the list, click Assign bindings in the top-right corner. In the window that opens, select the user, service account, or group from the list. If required, use the search bar.

  4. Click Add role and select the role to assign. You can assign multiple roles.

    You can find the description of the available roles in the Yandex Cloud role reference.

  5. Click Save.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign a role for an organization:

  1. See the description of the CLI role assignment command:

    yc organization-manager organization add-access-binding --help

  2. Get a list of available organizations with their IDs:

    yc organization-manager organization list

  3. Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.

  4. Use one of these commands to assign a role:

    • To a Yandex account user:

      yc organization-manager organization add-access-binding \
   --id <organization_ID> \
   --role <role> \
   --user-account-id <user_ID>

    • To a federated user:

      yc organization-manager organization add-access-binding \
   --id <organization_ID> \
   --role <role> \
   --subject federatedUser:<user_ID>

    • To a service account:

      yc organization-manager organization add-access-binding \
   --id <organization_ID> \
   --role <role> \
   --service-account-id <service_account_ID>

    • To all users of an organization:

      yc organization-manager organization add-access-binding \
   --id <organization_ID> \
   --role <role> \
   --organization-users <organization_ID>

    • To all users of an identity federation:

      yc organization-manager organization add-access-binding \
   --id <organization_ID> \
   --role <role> \
   --federation-users <federation_ID>

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To assign a role for an organization:

  1. Get the ID of the user, service account, or user group you are assigning a role to.

  2. Describe the resource with the role for the organization in the configuration file.

    Here is an example of the configuration file structure:

    resource "yandex_organizationmanager_organization_iam_binding" "<resource_name>" {
  organization_id = "<organization_ID>"
  role            = "<role>"
  members         = [<users>]
}

    Where:

    • organization_id: Organization ID. This is a required parameter.

    • role: Role you want to assign. For each role, you can only use one yandex_organizationmanager_organization_iam_binding resource. This is a required parameter.

    • members: Users getting the role. Specify the following:

      • members = ["userAccount:<user_ID>"]: For a user with a Yandex account.
      • members = ["federatedUser:<user_ID>"]: For a federated user.
      • members = ["serviceAccount:<user_ID>"]: For a service account.
      • members = ["group:<user_ID>"]: For a user group.
      • members = ["system:group:organization:<organization_ID>:users"]: For all organization users.
      • members = ["system:group:federation:<federation_ID>:users"]: For all identity federation users.

    For more information, see the provider documentation.

  3. Make sure the settings are correct.

    1. Using the command line, navigate to the folder that contains the up-to-date Terraform configuration files with an infrastructure plan.

    2. Run the command:

      terraform validate

      If there are errors in the configuration files, Terraform will point to them.

  4. Assign the role.

    1. Run the command to view planned changes:

      terraform plan

      If the resource configuration descriptions are correct, the terminal will display a list of the resources to modify and their parameters. This is a test step. No resources are updated.

    2. If you are happy with the planned changes, apply them:

      1. Run the command:

        terraform apply

      2. Confirm the update of resources.

      3. Wait for the operation to complete.

    This will create the necessary resources in the organization. You can check the new resources using the management console or this CLI command:

    yc organization-manager organization list-access-bindings <organization_name_or_ID>

To assign a role for the organization, use the updateAccessBindings REST API method for the Organization resource or the OrganizationService/UpdateAccessBindings gRPC API call and provide the following in the request:

  • ADD value in the accessBindingDeltas[].action parameter to add a role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.type parameter.

Assigning a role for a resource

You can assign a role not only for an organization, cloud, or folder but their child resources as well. These are listed in List of resources that you can assign roles for.

To assign a role for a resource:

  1. In the management console, select the folder the resource resides in.
  2. Open its page.
  3. Go to Access bindings and click Assign bindings.
  4. Select the group, user, or service account you want to grant access to a resource.
  5. Click Add role and select the required roles.
  6. Click Save.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign a role for a resource:

  1. See the description of the CLI role assignment command:

    yc <service_name> <resource> add-access-binding --help

    Example for a Yandex Compute Cloud VM:

    yc compute instance add-access-binding --help

  2. Get a list of resources with their IDs:

    yc <service_name> <resource> list

  3. Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.

  4. Use one of these commands to assign a role:

    • To a Yandex account user:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --user-account-id <user_ID>

    • To a federated user:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --subject federatedUser:<user_ID>

    • To a service account:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --service-account-id <service_account_ID>

    • To a user group:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --subject group:<group_ID>

    • To all users of an organization:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --organization-users <organization_ID>

    • To all users of an identity federation:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --federation-users <federation_ID>

To assign a role for a resource, use the updateAccessBindings REST API method or gRPC API call for the resource and provide the following in the request:

  • ADD value in the accessBindingDeltas[].action parameter to add a role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.type parameter.

Assigning multiple roles

  1. In the management console, select the folder the resource resides in.
  2. Open its page.
  3. Go to Access bindings and click Assign bindings.
  4. Select the group, user, or service account you want to grant access to a resource.
  5. Click Add role and select the required roles.
  6. Click Save.

Alert

The set-access-bindings command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign multiple roles for a resource:

  1. Make sure the resource has no roles assigned that you would not want to lose:

    yc <service_name> <resource> list-access-bindings \
   --id <resource_ID>

    Example for a Yandex Compute Cloud VM:

    yc compute instance list-access-bindings \
   --id <VM_ID>

  2. See the description of the CLI role assignment command:

    yc <service_name> <resource> set-access-bindings --help

  3. Get a list of resources with their IDs:

    yc <service_name> <resource> list

  4. Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.

  5. Use one of the commands below to assign roles:

    • To a Yandex account user:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,user-account-id=<user_ID>

    • To a federated user:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,subject=federatedUser:<user_ID>

    • To a service account:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,service-account-id=<service_account_ID>

    • To a user group:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,subject=group:<group_ID>

    • To all users of an organization:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,subject=system:group:organization:<organization_ID>:users

    • To all users of an identity federation:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,subject=system:group:federation:<federation_ID>:users

    Provide a separate --access-binding flag for each role. Example:

    yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role_1>,service-account-id=<service_account_ID> \
   --access-binding role=<role_2>,service-account-id=<service_account_ID> \
   --access-binding role=<role_3>,service-account-id=<service_account_ID>

Alert

The setAccessBindings method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

To assign multiple roles for a resource, use the setAccessBindings REST API method or gRPC API call for the resource. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:

  • Role in the accessBindings[].roleId parameter.
  • ID of the subject getting the roles in the accessBindings[].subject.id parameter.
  • Type of the subject getting the roles in the accessBindings[].subject.type parameter.
Previous
Deleting a service account
Next
Viewing assigned roles