Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Setting up service account access permissions

Written by
Updated at October 29, 2025

This section describes how to assign roles for the service account as a resource. To assign the service account a role for another resource, follow the instructions in Assigning roles to a service account.

Note

To assign a role for a service account, you need the iam.serviceAccounts.admin role.

Assigning a role for a service account

  1. In the management console, navigate to the folder the service account belongs to.
  2. In the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Service accounts and select the service account.
  4. Navigate to the Access bindings tab.
  5. Click Assign roles.
  6. In the Configuring access bindings window, click Select subject.
  7. Select a user from the list or use the user search option.
  8. Click Add role.
  9. Choose the role.
  10. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the command to assign a role for a service account as a resource:

    yc iam service-account add-access-binding --help

  2. Select a service account, e.g., my-robot:

    yc iam service-account list

    Result:

    +----------------------+----------+------------------+
|          ID          |   NAME   |   DESCRIPTION    |
+----------------------+----------+------------------+
| ajebqtreob2d******** | test-sa  | test-description |
| aje6o61dvog2******** | my-robot |                  |
+----------------------+----------+------------------+

  3. Choose the role.

    yc iam role list

    Result:

    +--------------------------------+-------------+
|               ID               | DESCRIPTION |
+--------------------------------+-------------+
| admin                          |             |
| compute.images.user            |             |
| editor                         |             |
| ...                            |             |
+--------------------------------+-------------+

  4. Find out the user ID from the login or email address. To assign a role to a service account or a user group rather than to a single user, see the examples below.

    yc iam user-account get test-user

    Result:

    id: gfei8n54hmfh********
yandex_passport_user_account:
    login: test-user
    default_email: test-user@yandex.ru

  5. Assign the editor role for the my-robot service account to test-user. In the subject, specify the userAccount type and user ID:

    yc iam service-account add-access-binding my-robot \
  --role editor \
  --subject userAccount:gfei8n54hmfh********

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

  1. Add the resource parameters to the configuration file and specify the users' role to access the service account:

    • service_account_id: ID of the service account to configure access for.
    • role: Role being assigned. This is a required parameter.
    • members: List of users or service accounts the role is being assigned to. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>. This is a required parameter.

    Here is an example of the configuration file structure:

    resource "yandex_iam_service_account_iam_binding" "admin-account-iam" {
  service_account_id = "<service_account_ID>"
  role               = "<role>"
  members            = [
    "federatedUser:<user_ID>",
  ]
}

    For more information about the resources you can create with Terraform, see the relevant provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration description is correct, the terminal will display a list of the resources being created and their settings. If the configuration contains any errors, Terraform will point them out.

  3. Deploy the cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

    This will create all the resources you need in the specified folder. You can check the new resource using the management console or this CLI command:

    yc resource-manager service-account list-access-bindings <service_account_name_or_ID>

Use the updateAccessBindings REST API method for the ServiceAccount resource or the ServiceAccountService/UpdateAccessBindings gRPC API call. You will need the ID of the service account and the ID of the user to whom you want to assign the role for the service account.

  1. Find out the service account ID using the list REST API method:

    curl \
  --header "Authorization: Bearer <IAM_token>" \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yys********

    Result:

    {
"serviceAccounts": [
    {
    "id": "aje6o61dvog2********",
    "folderId": "b1gvmob95yys********",
    "createdAt": "2018-10-19T13:26:29Z",
    "name": "my-robot"
    }
    ...
]
}

  2. Find out the user ID from the login using the getByLogin REST API method:

    curl \
  --header "Authorization: Bearer <IAM_token>" \
  https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user

    Result:

    {
"id": "gfei8n54hmfh********",
"yandexPassportUserAccount": {
    "login": "test-user",
    "defaultEmail": "test-user@yandex.ru"
}
}

  3. Assign the editor role for the my-robot sevice account. Set the action property to ADD and specify the userAccount type and user ID in the subject property:

    curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindingDeltas": [{
      "action": "ADD",
      "accessBinding": {
          "roleId": "editor",
          "subject": {
              "id": "gfei8n54hmfh********",
              "type": "userAccount"
  }}}]}' \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2********:updateAccessBindings

Examples

Assigning multiple roles

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.

Alert

The set-access-binding command completely rewrites access permissions for the resource! All roles previously assigned for this resource will be deleted.

  1. Make sure the resource has no important roles assigned before proceeding:

    yc iam service-account list-access-bindings my-robot

  2. For example, assign a role to multiple users:

    yc iam service-account set-access-bindings my-robot \
  --access-binding role=editor,subject=userAccount:gfei8n54hmfh******** \
  --access-binding role=viewer,subject=userAccount:helj89sfj80a********

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To assign several roles to a service account created with Terraform:

  1. Add the resource parameters to the configuration file and specify the users' role to access the service account:

    • service_account_id: ID of the service account to configure access for.
    • role: Role being assigned. This is a required parameter.

    Note

    For each role, you can only use one yandex_iam_service_account_iam_binding resource.

    • members: List of users or service accounts the role is being assigned to. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>. This is a required parameter.
    Example of assigning multiple roles to a service account using Terraform
    ...
resource "yandex_iam_service_account_iam_binding" "admin-account-iam" {
  service_account_id = "aje82upckiqh********"
  role               = "admin"
  members = [
    "userAccount:aje82upckiqh********",
  ]
}
resource "yandex_iam_service_account_iam_binding" "admin-account-iam2" {
  service_account_id = "aje82upckiqh********"
  role               = "viewer"
  members = [
    "userAccount:aje82upckiqh********",
  ]
}
...

    For more information about the resources you can create with Terraform, see this provider guide.

  2. Check the configuration using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  3. Run this command:

    terraform plan

    You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

  4. Apply the changes:

    terraform apply

  5. Confirm the changes: type yes into the terminal and press Enter.

    You can check the folder update using the management console or this CLI command:

    yc resource-manager service-account list-access-bindings <service_account_name_or_ID>

Assign the editor role to one user and the viewer role to another user:

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindingDeltas": [{
      "action": "ADD",
      "accessBinding": {
          "roleId": "editor",
          "subject": {
              "id": "gfei8n54hmfh********",
              "type": "userAccount"
          }
      }
  },{
      "action": "ADD",
      "accessBinding": {
          "roleId": "viewer",
          "subject": {
              "id": "helj89sfj80a********",
              "type": "userAccount"
  }}}]}' \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2********:updateAccessBindings

You can also assign roles using the setAccessBindings REST API method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.

Alert

The setAccessBindings method completely rewrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindings": [{
      "roleId": "editor",
      "subject": { "id": "ajei8n54hmfh********", "type": "userAccount" }
  },{
      "roleId": "viewer",
      "subject": { "id": "helj89sfj80a********", "type": "userAccount" }
  }]}' \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2********:setAccessBindings

Setting up access from one service account to another service account

Allow the test-sa service account to manage the my-robot service account:

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

  1. Find out the ID of the test-sa service account you want to assign the role to. To do this, get a list of available service accounts:

    yc iam service-account list

    Result:

    +----------------------+----------+------------------+
|          ID          |   NAME   |   DESCRIPTION    |
+----------------------+----------+------------------+
| ajebqtreob2d******** | test-sa  | test-description |
| aje6o61dvog2******** | my-robot |                  |
+----------------------+----------+------------------+

  2. Assign the editor role to the test-sa service account by specifying its ID. In the subject type, specify serviceAccount:

    yc iam service-account add-access-binding my-robot \
  --role editor \
  --subject serviceAccount:ajebqtreob2d********

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To allow the test-sa service account to manage the my-robot service account created with Terraform:

  1. Add the resource parameters to the configuration file and specify the users' role to access the service account:

    • service_account_id: ID of the service account to configure access for.
    • role: Role being assigned. This is a required parameter.
    • members: List of users or service accounts the role is being assigned to. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>. This is a required parameter.
Example of granting the test-sa service account permissions to manage the my-robot service account using Terraform
...
resource "yandex_iam_service_account_iam_binding" "admin-account-iam" {
  service_account_id = "aje82upckiqh********"
  role               = "admin"
  members = [
    "serviceAccount:aje82upckiqh********",
  ]
}
...

For more information about the resources you can create with Terraform, see this provider guide.

  1. Check the configuration using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  2. Run this command:

    terraform plan

    You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

  3. Apply the changes:

    terraform apply

  4. Confirm the changes: type yes into the terminal and press Enter.

    You can check the folder update using the management console or this CLI command:

    yc resource-manager service-account list-access-bindings <service_account_name_or_ID>

  1. Find out the ID of the test-sa service account you want to assign the role to. To do this, get a list of available service accounts:

    curl \
  --header "Authorization: Bearer <IAM_token>" \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yys********

    Result:

    {
 "serviceAccounts": [
  {
   "id": "ajebqtreob2d********",
   "folderId": "b1gvmob95yys********",
   "createdAt": "2018-10-18T13:42:40Z",
   "name": "test-sa",
   "description": "test-description"
  },
  {
   "id": "aje6o61dvog2********",
   "folderId": "b1gvmob95yys********",
   "createdAt": "2018-10-15T18:01:25Z",
   "name": "my-robot"
  }
 ]
}

  2. Assign the editor role to the test-sa service account for another service account named my-robot. In the subject property, specify the serviceAccount type and test-sa ID. In the request URL, specify the my-robot ID as a resource:

    curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindingDeltas": [{
      "action": "ADD",
      "accessBinding": {
          "roleId": "editor",
          "subject": {
              "id": "ajebqtreob2d********",
              "type": "serviceAccount"
  }}}]}' \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2********:updateAccessBindings

See also

Previous
Assigning roles to a service account
Next
Using impersonation