Contact UsGet started
© 2024 Iron Hive LLC Belgrade

Setting up service account access permissions

Written by
Updated at November 14, 2024

This section describes how to assign roles for the service account as a resource. To assign the service account a role for another resource, follow the instructions in Assigning roles to a service account.

Note

To assign a role for a service account, you need the iam.serviceAccounts.admin role.

Assigning a role for a service account

  1. In the management console, navigate to the folder the service account belongs to.
  2. In the list of services, select Identity and Access Management.
  3. In the left-hand panel, select Service accounts and select the required service account.
  4. Go to the Access bindings tab.
  5. Click Assign bindings.
  6. In the Configuring access bindings window, click Select subject.
  7. Select a user from the list or search by user.
  8. Click Add role.
  9. Choose the role.
  10. Click Save.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. View the description of the command to assign a role for a service account as a resource:

    yc iam service-account add-access-binding --help

  2. Select a service account, e.g., my-robot:

    yc iam service-account list

    Result:

    +----------------------+----------+------------------+
|          ID          |   NAME   |   DESCRIPTION    |
+----------------------+----------+------------------+
| ajebqtreob2d******** | test-sa  | test-description |
| aje6o61dvog2******** | my-robot |                  |
+----------------------+----------+------------------+

  3. Choose the role.

    yc iam role list

    Result:

    +--------------------------------+-------------+
|               ID               | DESCRIPTION |
+--------------------------------+-------------+
| admin                          |             |
| compute.images.user            |             |
| editor                         |             |
| ...                            |             |
+--------------------------------+-------------+

  4. Find out the user ID from the login or email address. To assign a role to a service account or a user group rather than to a single user, see the examples below.

    yc iam user-account get test-user

    Result:

    id: gfei8n54hmfh********
yandex_passport_user_account:
    login: test-user
    default_email: test-user@yandex.ru

  5. Assign the editor role to the user test-user for the my-robot service account. In the subject, specify the userAccount type and user ID:

    yc iam service-account add-access-binding my-robot \
  --role editor \
  --subject userAccount:gfei8n54hmfh********

If you don't have Terraform, install it and configure the Yandex Cloud provider.

  1. Add the resource parameters to the configuration file and specify the users' role to access the service account:

    • service_account_id: ID of the service account to configure access for.
    • role: Role being assigned. This is a required parameter.
    • members: List of users or service accounts the role is being assigned to. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>. This is a required parameter.

    Here is an example of the configuration file structure:

    resource "yandex_iam_service_account_iam_binding" "admin-account-iam" {
  service_account_id = "<service_account_ID>"
  role               = "<role>"
  members            = [
    "federatedUser:<user_ID>",
  ]
}

    For more information about the resources you can create with Terraform, see the provider documentation.

  2. Make sure the configuration files are correct.

    1. In the command line, go to the folder where you created the configuration file.

    2. Run a check using this command:

      terraform plan

    If the configuration is described correctly, the terminal will display a list of created resources and their parameters. If the configuration contains any errors, Terraform will point them out.

  3. Deploy cloud resources.

    1. If the configuration does not contain any errors, run this command:

      terraform apply

    2. Confirm creating the resources: type yes in the terminal and press Enter.

    All the resources you need will then be created in the specified folder. You can check the new resource using the management console or this CLI command:

    yc resource-manager service-account list-access-bindings <service_account_name_or_ID>

Use the updateAccessBindings REST API method for the ServiceAccount resource or the ServiceAccountService/UpdateAccessBindings gRPC API call. You will need the ID of the service account and the ID of the user to whom you want to assign the role for the service account.

  1. Find out the service account ID using the list REST API method:

    curl \
  --header "Authorization: Bearer <IAM_token>" \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yys********

    Result:

    {
"serviceAccounts": [
    {
    "id": "aje6o61dvog2********",
    "folderId": "b1gvmob95yys********",
    "createdAt": "2018-10-19T13:26:29Z",
    "name": "my-robot"
    }
    ...
]
}

  2. Find out the user ID from the login using the getByLogin REST API method:

    curl \
  --header "Authorization: Bearer <IAM_token>" \
  https://iam.api.cloud.yandex.net/iam/v1/yandexPassportUserAccounts:byLogin?login=test-user

    Result:

    {
"id": "gfei8n54hmfh********",
"yandexPassportUserAccount": {
    "login": "test-user",
    "defaultEmail": "test-user@yandex.ru"
}
}

  3. Assign the editor role for the my-robot sevice account. Set the action property to ADD and specify the userAccount type and user ID in the subject property:

    curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindingDeltas": [{
      "action": "ADD",
      "accessBinding": {
          "roleId": "editor",
          "subject": {
              "id": "gfei8n54hmfh********",
              "type": "userAccount"
  }}}]}' \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2********:updateAccessBindings

Examples

Assigning multiple roles

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

The add-access-binding command allows you to add only one role. You can assign multiple roles using the set-access-binding command.

Alert

The set-access-binding method completely rewrites access permissions for the resource. All current resource roles will be deleted.

  1. Make sure the resource has no roles assigned that you would not want to lose:

    yc iam service-account list-access-bindings my-robot

  2. For example, assign a role to multiple users:

    yc iam service-account set-access-bindings my-robot \
  --access-binding role=editor,subject=userAccount:gfei8n54hmfh******** \
  --access-binding role=viewer,subject=userAccount:helj89sfj80a********

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To assign several roles to a service account created with Terraform:

  1. Add the resource parameters to the configuration file and specify the users' role to access the service account:

    • service_account_id: ID of the service account to configure access for.
    • role: Role being assigned. This is a required parameter.

    Note

    For each role, you can only use one yandex_iam_service_account_iam_binding resource.

    • members: List of users or service accounts the role is being assigned to. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>. This is a required parameter.
    Example of assigning multiple roles to a service account using Terraform
    ...
resource "yandex_iam_service_account_iam_binding" "admin-account-iam" {
  service_account_id = "aje82upckiqh********"
  role               = "admin"
  members = [
    "userAccount:aje82upckiqh********",
  ]
}
resource "yandex_iam_service_account_iam_binding" "admin-account-iam2" {
  service_account_id = "aje82upckiqh********"
  role               = "viewer"
  members = [
    "userAccount:aje82upckiqh********",
  ]
}
...

    For more information about the resources you can create with Terraform, see the provider documentation.

  2. Check the configuration using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  3. Run this command:

    terraform plan

    The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  4. Apply the configuration changes:

    terraform apply

  5. Confirm the changes: type yes into the terminal and press Enter.

    You can check the folder update using the management console or this CLI command:

    yc resource-manager service-account list-access-bindings <service_account_name_or_ID>

Assign the editor role to one user and the viewer role to another:

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM_token>" \
  --data '{
  "accessBindingDeltas": [{
      "action": "ADD",
      "accessBinding": {
          "roleId": "editor",
          "subject": {
              "id": "gfei8n54hmfh********",
              "type": "userAccount"
          }
      }
  },{
      "action": "ADD",
      "accessBinding": {
          "roleId": "viewer",
          "subject": {
              "id": "helj89sfj80a********",
              "type": "userAccount"
  }}}]}' \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2********:updateAccessBindings

You can also assign roles using the setAccessBindings REST API method for the ServiceAccount resource or the ServiceAccountService/SetAccessBindings gRPC API call.

Alert

The setAccessBindings method completely rewrites access permissions for the resource. All current resource roles will be deleted.

curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM token>" \
  --data '{
  "accessBindings": [{
      "roleId": "editor",
      "subject": { "id": "ajei8n54hmfh********", "type": "userAccount" }
  },{
      "roleId": "viewer",
      "subject": { "id": "helj89sfj80a********", "type": "userAccount" }
  }]}' \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2********:setAccessBindings

Set up impersonation

Impersonation enables a user to perform actions on behalf of a service account using the --impersonate-service-account-id flag. To do this, the service account needs the relevant permissions, and the user needs the iam.serviceAccounts.tokenCreator role.

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

  1. Find out the ID of the service account, such as test-sa, you want to assign the role to. To do this, get a list of available service accounts (in the administrator profile):

    yc iam service-account list

    Result:

    +----------------------+----------+------------------+
|          ID          |   NAME   |   DESCRIPTION    |
+----------------------+----------+------------------+
| ajebqtreob2d******** | test-sa  | test-description |
| aje6o61dvog2******** | my-robot |                  |
+----------------------+----------+------------------+

  2. Assign the test-sa service account the viewer role for my-folder. In the subject type, specify serviceAccount, and in its value, specify the ID of the service account (in the administrator profile):

    yc resource-manager folder add-access-binding my-folder \
  --role viewer \
  --subject serviceAccount:ajebqtreob2d********

  3. Get the user ID and assign them the iam.serviceAccounts.tokenCreator role for the test-sa service account (in the administrator profile):

    yc iam service-account add-access-binding test-sa \
  --role iam.serviceAccounts.tokenCreator \
  --subject userAccount:gfei8n54hmfh********

  4. The user can perform the command on behalf of the test-sa service account using the --impersonate-service-account-id flag.

    For example, the user can get a list of VMs in my-folder:

    yc compute instance list --folder-name my-folder \
  --impersonate-service-account-id ajebqtreob2d********

    The user can also obtain an IAM token of the test-sa service account, for short-term access:

    yc iam create-token --impersonate-service-account-id ajebqtreob2d********

    The token will expire automatically.

  5. If the user no longer needs this permission, revoke the role from the service account (in the administrator's profile):

    yc resource-manager folder remove-access-binding my-folder \
  --role viewer \
  --subject serviceAccount:ajebqtreob2d********

  6. Revoke the iam.serviceAccounts.tokenCreator role from the user you granted service account permissions to:

    yc iam service-account remove-access-binding test-sa \
  --role iam.serviceAccounts.tokenCreator \
  --subject userAccount:gfei8n54hmfh********

Setting up access from one service account to another service account

Allow the test-sa service account to manage the my-robot service account:

If you do not have the Yandex Cloud command line interface yet, install and initialize it.

  1. Find out the ID of the test-sa service account you want to assign the role to. To do this, get a list of available service accounts:

    yc iam service-account list

    Result:

    +----------------------+----------+------------------+
|          ID          |   NAME   |   DESCRIPTION    |
+----------------------+----------+------------------+
| ajebqtreob2d******** | test-sa  | test-description |
| aje6o61dvog2******** | my-robot |                  |
+----------------------+----------+------------------+

  2. Assign the editor role to the test-sa service account by specifying its ID. In the subject type, specify serviceAccount:

    yc iam service-account add-access-binding my-robot \
  --role editor \
  --subject serviceAccount:ajebqtreob2d********

If you don't have Terraform, install it and configure the Yandex Cloud provider.

To allow the test-sa service account to manage the my-robot service account created with Terraform:

  1. Add the resource parameters to the configuration file and specify the users' role to access the service account:

    • service_account_id: ID of the service account to configure access for.
    • role: Role being assigned. This is a required parameter.
    • members: List of users or service accounts the role is being assigned to. Specify it as userAccount:<user_ID> or serviceAccount:<service_account_ID>. This is a required parameter.
Example of allowing the test-sa service account to manage the my-robot service account using Terraform
...
resource "yandex_iam_service_account_iam_binding" "admin-account-iam" {
  service_account_id = "aje82upckiqh********"
  role               = "admin"
  members = [
    "serviceAccount:aje82upckiqh********",
  ]
}
...

For more information about the resources you can create with Terraform, see the provider documentation.

  1. Check the configuration using this command:

    terraform validate

    If the configuration is correct, you will get this message:

    Success! The configuration is valid.

  2. Run this command:

    terraform plan

    The terminal will display a list of resources with parameters. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

  3. Apply the configuration changes:

    terraform apply

  4. Confirm the changes: type yes into the terminal and press Enter.

    You can check the folder update using the management console or this CLI command:

    yc resource-manager service-account list-access-bindings <service_account_name_or_ID>

  1. Find out the ID of the test-sa service account you want to assign the role to. To do this, get a list of available service accounts:

    curl \
  --header "Authorization: Bearer <IAM token>" \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=b1gvmob95yys********

    Result:

    {
 "serviceAccounts": [
  {
   "id": "ajebqtreob2d********",
   "folderId": "b1gvmob95yys********",
   "createdAt": "2018-10-18T13:42:40Z",
   "name": "test-sa",
   "description": "test-description"
  },
  {
   "id": "aje6o61dvog2********",
   "folderId": "b1gvmob95yys********",
   "createdAt": "2018-10-15T18:01:25Z",
   "name": "my-robot"
  }
 ]
}

  2. Assign the editor role to the test-sa service account for another my-robot service account. In the subject property, specify the serviceAccount type and test-sa ID. In the request URL, specify the my-robot ID as a resource:

    curl \
  --request POST \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer <IAM token>" \
  --data '{
  "accessBindingDeltas": [{
      "action": "ADD",
      "accessBinding": {
          "roleId": "editor",
          "subject": {
              "id": "ajebqtreob2d********",
              "type": "serviceAccount"
  }}}]}' \
  https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts/aje6o61dvog2********:updateAccessBindings
Previous
Assigning roles to a service account
Next
Getting information about a service account