Revoke a role for a resource

Written by

Updated at March 19, 2026

If you want to prevent a subject from accessing a resource, revoke the relevant roles for this resource and for resources that grant inherited access rights. For more information, see How access management works in Yandex Cloud.

Revoking a role

Management console

CLI

Terraform

API

To revoke a role in the folder and its child resources:
1. In the management console, click or in the top panel and select the folder.
2. Navigate to the Access bindings tab.
3. Select a user from the list and click next to the username.
4. Click Edit roles.
5. Click next to the role to revoke.
6. Click Save.
To revoke a role in the cloud:
1. In the management console, click or in the top panel and select the cloud.
2. Navigate to the Access bindings tab.
3. Select a user from the list and click next to the username.
4. Click Edit roles.
5. Click next to the role to revoke.
6. Click Save.
To revoke all the folder or cloud roles at once:
1. In the management console, click or in the top panel and select a folder or cloud.
2. Navigate to the Access bindings tab.
3. Select a user from the list and click next to the username.
4. If you want to revoke all of the user's roles in the cloud, click Revoke access and confirm the revocation.

If you do not have the Yandex Cloud CLI yet, install and initialize it.

To revoke a role from a subject, delete access permissions for the appropriate resource:

View the roles assigned for a resource:

yc <service_name> <resource_category> list-access-bindings <resource_name_or_ID>

Where:

<service_name>: Name of the service the resource belongs to, e.g., resource-manager.
<resource_category>: Resource category, e.g., folder.
<resource_name_or_ID>: Resource name or ID. You can specify a resource by its name or ID.

For example, you can view the roles and the assignees for the default folder:

yc resource-manager folder list-access-bindings default

Result:

+---------------------+----------------+----------------------+
|       ROLE ID       |  SUBJECT TYPE  |      SUBJECT ID      |
+---------------------+----------------+----------------------+
| editor              | serviceAccount | ajepg0mjas06******** |
| viewer              | userAccount    | aje6o61dvog2******** |
+---------------------+----------------+----------------------+

To delete access permissions, run this command:
```
yc <service_name> <resource_category> remove-access-binding <resource_name_or_ID> \
    --role <role_ID> \
    --subject <subject_type>:<subject_ID>
```
Where:
- --role: ID of the role to revoke, e.g., resource-manager.clouds.owner.
- <subject_type>: Subject type to revoke a role from.
- <subject_ID>: Subject ID.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To revoke a resource role from a subject, find the resource description in the configuration file:

resource "yandex_resourcemanager_cloud_iam_binding" "admin" {
    cloud_id    = "<cloud_ID>"
    role        = "<role>"
    members     = [
    "serviceAccount:<service_account_ID>",
    "userAccount:<user_ID>",
    ]
}

Delete the record with information about the subject whose permissions you need to revoke from the members list of users.

For more information about yandex_resourcemanager_cloud_iam_binding properties, see this provider guide.
Make sure the configuration files are correct.
1. In the command line, navigate to the directory where you created the configuration file.
2. Run a check using this command:
```
terraform plan
```
If the configuration description is correct, the terminal will display a list of the resources being created and their settings. Terraform will show any errors in the configuration.
Deploy the cloud resources.
1. If the configuration does not contain any errors, run this command:
```
terraform apply
```
2. Confirm creating the resources: type yes and press Enter.
This will create all the resources you need in the specified folder. You can check the new resource using the management console or this CLI command:
```
yc resource-manager cloud list-access-bindings <cloud_name_or_ID>
```

To revoke a resource role from a subject, delete the relevant access permissions:

View the roles and assignees for the resource using the listAccessBindings REST API method. For example, to view the roles for the b1gvmob95yys******** folder:

export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaATEVAgA...
curl \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:listAccessBindings"

Result:

{
  "accessBindings": [
  {
    "subject": {
      "id": "ajei8n54hmfh********",
      "type": "userAccount"
    },
    "roleId": "editor"
  }
  ]
}

Create the request body, e.g., in the body.json file. In the request body, specify access permissions to delete. For example, revoke the editor role from the ajei8n54hmfh******** user:

body.json:

{
    "accessBindingDeltas": [{
        "action": "REMOVE",
        "accessBinding": {
            "roleId": "editor",
            "subject": {
                "id": "ajei8n54hmfh********",
                "type": "userAccount"
                }
            }
        }
    ]
}

Revoke a role by deleting the assigned permissions:

export FOLDER_ID=b1gvmob95yys********
export IAM_TOKEN=CggaAT********
curl \
  --request POST \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer ${IAM_TOKEN}" \
  --data '@body.json' \
  "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"

Revoke a role for a resource

Revoking a roleRevoking a role

Was the article helpful?

Revoking a role