Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Assigning roles

Written by
Updated at May 13, 2025

To grant access to a resource, assign a role for it. You can assign a role to:

You can assign a role not only for the resource itself but also for its parent resource, as the former inherits access permissions from the latter. For example, if a service account gets a role for a cloud, it will also get permissions for all resources across the cloud's folders. To learn more, see How access management works in Yandex Cloud.

Learn which resources you can assign a role for.

To select roles, look them up in the role reference.

Assigning a role for a cloud

  1. In the management console, select the cloud or folder.
  2. Navigate to the Access bindings tab.
  3. Click Configure access.
  4. Select the group, user, or service account you want to grant access to a cloud or folder.
  5. Click Add role and select the required roles.
  6. Click Save.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign a role for a cloud or folder:

  1. See the description of the CLI role assignment command:

    yc resource-manager <cloud_or_folder> add-access-binding --help

    Specify cloud for a cloud or folder for a folder.

  2. Get a list of available clouds or folders with their IDs:

    yc resource-manager <cloud_or_folder> list

  3. Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.

  4. Use one of these commands to assign a role:

    • To a Yandex account user:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --user-account-id <user_ID>

    • To a federated user:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --subject federatedUser:<user_ID>

    • To a service account:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --service-account-id <service_account_ID>

    • To a user group:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --subject group:<group_ID>

    • To all users of an organization:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --organization-users <organization_ID>

    • To all users of an identity federation:

      yc resource-manager <cloud_or_folder> add-access-binding \
   --id <cloud_or_folder_ID> \
   --role <role> \
   --federation-users <federation_ID>

To assign a role for a cloud, use the updateAccessBindings REST API method for the Cloud resource or the CloudService/UpdateAccessBindings gRPC API call.

To assign a role for a folder, use the updateAccessBindings REST API method for the Folder resource or the FolderService/UpdateAccessBindings gRPC API call.

Provide the following in the request:

  • ADD value in the accessBindingDeltas[].action parameter to add a role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.type parameter.

Assigning a role for an organization

To grant access permissions for an organization, you need the organization-manager.admin role or higher. To learn more about the role sequence, see the Yandex Cloud Organization document.

To assign a role for an organization:

  1. Log in to Yandex Cloud Organization using an administrator or organization owner account.

  2. In the left-hand panel, select Access bindings.

  3. If the user, service account, or user group already has at least one role assigned, click in the row with that user, service account, or group and select Assign bindings.

    If the user, service account, or user group is not on the list, click Assign bindings in the top-right corner. In the window that opens, select the user, service account, or group from the list. If required, use the search bar.

  4. Click Add role and select the role to assign. You can assign multiple roles.

    You can find the description of the available roles in the Yandex Cloud role reference.

  5. Click Save.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign a role for an organization:

  1. See the description of the CLI role assignment command:

    yc organization-manager organization add-access-binding --help

  2. Get a list of available organizations with their IDs:

    yc organization-manager organization list

  3. Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.

  4. Use one of these commands to assign a role:

    • To a Yandex account user:

      yc organization-manager organization add-access-binding \
   --id <organization_ID> \
   --role <role> \
   --user-account-id <user_ID>

    • To a federated user:

      yc organization-manager organization add-access-binding \
   --id <organization_ID> \
   --role <role> \
   --subject federatedUser:<user_ID>

    • To a service account:

      yc organization-manager organization add-access-binding \
   --id <organization_ID> \
   --role <role> \
   --service-account-id <service_account_ID>

    • To all users of an organization:

      yc organization-manager organization add-access-binding \
   --id <organization_ID> \
   --role <role> \
   --organization-users <organization_ID>

    • To all users of an identity federation:

      yc organization-manager organization add-access-binding \
   --id <organization_ID> \
   --role <role> \
   --federation-users <federation_ID>

If you do not have Terraform yet, install it and configure its Yandex Cloud provider.

To assign a role for an organization:

  1. Get the ID of the user, service account, or user group you are assigning a role to.

  2. Describe the resource with the role for the organization in the configuration file.

    Here is the configuration file example:

    resource "yandex_organizationmanager_organization_iam_binding" "<resource_name>" {
  organization_id = "<organization_ID>"
  role            = "<role>"
  members         = [<users>]
}

    Where:

    • organization_id: Organization ID. This is a required parameter.

    • role: Role to assign. For each role, you can only use one yandex_organizationmanager_organization_iam_binding resource. This is a required parameter.

    • members: Users getting the role. Specify the following:

      • members = ["userAccount:<user_ID>"]: For a user with a Yandex account.
      • members = ["federatedUser:<user_ID>"]: For a federated user.
      • members = ["serviceAccount:<user_ID>"]: For a service account.
      • members = ["group:<user_ID>"]: For a user group.
      • members = ["system:group:organization:<organization_ID>:users"]: For all organization users.
      • members = ["system:group:federation:<organization_ID>:users"]: For all identity federation users.

    For more information, see the provider documentation.

  3. Make sure the settings are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Assign the role.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    This will create the necessary resources in the organization. You can check the new resources using the management console or this CLI command:

    yc organization-manager organization list-access-bindings <organization_name_or_ID>

To assign a role for the organization, use the updateAccessBindings REST API method for the Organization resource or the OrganizationService/UpdateAccessBindings gRPC API call and provide the following in the request:

  • ADD value in the accessBindingDeltas[].action parameter to add a role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.type parameter.

Assigning a role for a resource

You can assign a role not only for an organization, cloud, or folder but their child resources as well. These are listed in List of resources you can assign roles for.

To assign a role for a resource:

  1. In the management console, select the folder the resource resides in.
  2. Open its page.
  3. Go to Access bindings and click Assign roles.
  4. Select the group, user, or service account you want to grant access to a resource.
  5. Click Add role and select the required roles.
  6. Click Save.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign a role for a resource:

  1. See the description of the CLI role assignment command:

    yc <service_name> <resource> add-access-binding --help

    Example for a Yandex Compute Cloud VM:

    yc compute instance add-access-binding --help

  2. Get a list of resources with their IDs:

    yc <service_name> <resource> list

  3. Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.

  4. Use one of these commands to assign a role:

    • To a Yandex account user:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --user-account-id <user_ID>

    • To a federated user:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --subject federatedUser:<user_ID>

    • To a service account:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --service-account-id <service_account_ID>

    • To a user group:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --subject group:<group_ID>

    • To all users of an organization:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --organization-users <organization_ID>

    • To all users of an identity federation:

      yc <service_name> <resource> add-access-binding \
   --id <resource_ID> \
   --role <role> \
   --federation-users <federation_ID>

To assign a role for a resource, use the updateAccessBindings REST API method or gRPC API call for the resource and provide the following in the request:

  • ADD value in the accessBindingDeltas[].action parameter to add a role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.type parameter.

Assigning multiple roles

  1. In the management console, select the folder the resource resides in.
  2. Open its page.
  3. Go to Access bindings and click Assign roles.
  4. Select the group, user, or service account you want to grant access to a resource.
  5. Click Add role and select the required roles.
  6. Click Save.

Alert

The set-access-bindings command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

If you do not have the Yandex Cloud (CLI) command line interface yet, install and initialize it.

The folder specified when creating the CLI profile is used by default. To change the default folder, use the yc config set folder-id <folder_ID> command. You can specify a different folder using the --folder-name or --folder-id parameter.

To assign multiple roles for a resource:

  1. Make sure the resource has no roles assigned that you would not want to lose:

    yc <service_name> <resource> list-access-bindings \
   --id <resource_ID>

    Example for a Yandex Compute Cloud VM:

    yc compute instance list-access-bindings \
   --id <VM_ID>

  2. See the description of the CLI role assignment command:

    yc <service_name> <resource> set-access-bindings --help

  3. Get a list of resources with their IDs:

    yc <service_name> <resource> list

  4. Get the ID of the user, service account, user group, organization, or identity federation to which or the users of which you are assigning a role.

  5. Use one of the commands below to assign roles:

    • To a Yandex account user:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,user-account-id=<user_ID>

    • To a federated user:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,subject=federatedUser:<user_ID>

    • To a service account:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,service-account-id=<service_account_ID>

    • To a user group:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,subject=group:<group_ID>

    • To all users of an organization:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,subject=system:group:organization:<organization_ID>:users

    • To all users of an identity federation:

      yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<role>,subject=system:group:federation:<federation_ID>:users

    Provide a separate --access-binding flag for each role. Example:

    yc <service_name> <resource> set-access-bindings \
   --id <resource_ID> \
   --access-binding role=<Role_1>,service-account-id=<service_account_ID> \
   --access-binding role=<Role_2>,service-account-id=<service_account_ID> \
   --access-binding role=<Role_3>,service-account-id=<service_account_ID>

Alert

The setAccessBindings method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

To assign multiple roles for a resource, use the setAccessBindings REST API method or gRPC API call for the resource. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:

  • Role in the accessBindings[].roleId parameter.
  • ID of the subject getting the roles in the accessBindings[].subject.id parameter.
  • Type of the subject getting the roles in the accessBindings[].subject.type parameter.
Previous
Deleting a service account
Next
Viewing assigned roles