Access management in Identity and Access Management

In this section, you will learn:

• Which resources you can assign a role for.
• Which roles exist in the service.
• Which roles are required for particular actions.

About access managementAbout access management

In Yandex Cloud, all transactions are checked in Yandex Identity and Access Management. If a subject does not have the required permission, the service returns an error.

To grant permissions for a resource, assign roles for this resource to the subject that will perform the operations. You can assign roles to a Yandex account, service account, federated users, user group, system group, or public group. For more information, see How access management works in Yandex Cloud.

Roles for a resource can be assigned by users who have the iam.admin role or one of the following roles for that resource:

• admin
• resource-manager.admin
• organization-manager.admin
• resource-manager.clouds.owner
• organization-manager.organizations.owner

Which resources you can assign a role forWhich resources you can assign a role for

You can assign a role to an organization, cloud, or folder. The roles assigned for organizations, clouds, or folders also apply to nested resources.

Which roles exist in the serviceWhich roles exist in the service

The chart below shows which roles are available in the service and how they inherit each other's permissions. For example, the editor role includes all the permissions of viewer. You can find the description of each role under the chart.

Service rolesService roles

iam.serviceAccounts.useriam.serviceAccounts.user

The iam.serviceAccounts.user role enables viewing the list of service accounts and info on them, as well as performing operations on behalf of a service account.

For example, if you specify a service account when creating an instance group, IAM will check whether you have a permission to use this service account.

iam.serviceAccounts.adminiam.serviceAccounts.admin

The iam.serviceAccounts.admin role enables managing service accounts and access to them and their keys, as well as getting IAM tokens for service accounts.

Users with this role can:

• View the list of service accounts and info on them, as well as create, use, modify, and delete them.
• View info on access permissions assigned for service accounts and modify such permissions.
• Get IAM tokens for service accounts.
• View the list of service account API keys and info on them, as well as create, modify, and delete them.
• View the list of service account static access keys and info on them, as well as create, modify, and delete them.
• View info on service account authorized keys, as well as create, modify, and delete them.
• View info on the relevant folder and its settings.

For some services, e.g., Instance Groups or Managed Service for Kubernetes, you need a service account to perform operations. If you specified a service account in the request, IAM will check whether you have permissions to use this account.

iam.serviceAccounts.accessKeyAdminiam.serviceAccounts.accessKeyAdmin

The iam.serviceAccounts.accessKeyAdmin role enables managing static access keys for service accounts.

Users with this role can:

• View the list of service account static access keys and information on them.
• Create, update, and delete static access keys for service accounts.

iam.serviceAccounts.apiKeyAdminiam.serviceAccounts.apiKeyAdmin

The iam.serviceAccounts.apiKeyAdmin role enables managing API keys for service accounts.

Users with this role can:

• View the list of service account API keys and information on them.
• Create, update, and delete API keys for service accounts.

iam.serviceAccounts.authorizedKeyAdminiam.serviceAccounts.authorizedKeyAdmin

The iam.serviceAccounts.authorizedKeyAdmin role enables viewing info on service account authorized keys, as well as create, modify, and delete them.

iam.serviceAccounts.keyAdminiam.serviceAccounts.keyAdmin

The iam.serviceAccounts.keyAdmin role enables managing static access keys, API keys, and authorized keys for service accounts.

Users with this role can:

• View the list of service account static access keys and info on them, as well as create, modify, and delete them.
• View the list of service account API keys and info on them, as well as create, modify, and delete them.
• View info on service account authorized keys, as well as create, modify, and delete them.

This role also includes the iam.serviceAccounts.accessKeyAdmin, iam.serviceAccounts.apiKeyAdmin, and iam.serviceAccounts.authorizedKeyAdmin permissions.

iam.serviceAccounts.tokenCreatoriam.serviceAccounts.tokenCreator

The iam.serviceAccounts.tokenCreator role enables getting IAM tokens for service accounts.

With such an IAM token one can impersonate to a service account and perform operations allowed for it.

This role does not allow you to modify access permissions or delete a service account.

iam.serviceAccounts.federatedCredentialVieweriam.serviceAccounts.federatedCredentialViewer

The iam.serviceAccounts.federatedCredentialViewer role enables viewing the list of federation credentials in workload identity federations and info on such credentials.

iam.serviceAccounts.federatedCredentialEditoriam.serviceAccounts.federatedCredentialEditor

The iam.serviceAccounts.federatedCredentialEditor role enables viewing the list of federation credentials in workload identity federations and info on such credentials, as well as create and delete those.

This role also includes the iam.serviceAccounts.federatedCredentialViewer permissions.

iam.workloadIdentityFederations.auditoriam.workloadIdentityFederations.auditor

The iam.workloadIdentityFederations.auditor role enables viewing the workload identity federation metadata.

iam.workloadIdentityFederations.vieweriam.workloadIdentityFederations.viewer

The iam.workloadIdentityFederations.viewer role enables viewing info on workload identity federations.

This role also includes the iam.workloadIdentityFederations.auditor permissions.

iam.workloadIdentityFederations.useriam.workloadIdentityFederations.user

The iam.workloadIdentityFederations.user role enables using workload identity federations.

iam.workloadIdentityFederations.editoriam.workloadIdentityFederations.editor

The iam.workloadIdentityFederations.editor role enables viewing info on workload identity federations, as well as creating, modifying, and deleting such federations.

This role also includes the iam.workloadIdentityFederations.viewer permissions.

iam.workloadIdentityFederations.adminiam.workloadIdentityFederations.admin

The iam.workloadIdentityFederations.admin role enables viewing info on workload identity federations, as well as creating, modifying, using, and deleting such federations.

This role also includes the iam.workloadIdentityFederations.editor and iam.workloadIdentityFederations.user permissions.

iam.auditoriam.auditor

The iam.auditor role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:

• View the list of service accounts and information on them.
• View info on access permissions assigned for service accounts.
• View the list of service account API keys and information on them.
• View the list of service account static access keys and information on them.
• View info on service account authorized keys.
• View the list of operations and the info on IAM resource operations.
• View info on Identity and Access Management quotas.
• View info on the relevant cloud and its settings.
• View info on the relevant folder and its settings.

iam.vieweriam.viewer

The iam.viewer role allows you to view info on service accounts and their keys, as well as on the IAM resource operations and quotas.

Users with this role can:

• View the list of service accounts and information on them.
• View info on access permissions assigned for service accounts.
• View the list of service account API keys and information on them.
• View the list of service account static access keys and information on them.
• View info on service account authorized keys.
• View the list of operations and the info on IAM resource operations.
• View info on Identity and Access Management quotas.
• View info on the relevant cloud and its settings.
• View info on the relevant folder and its settings.

This role also includes the iam.auditor permissions.

iam.editoriam.editor

The iam.editor role allows you to manage service accounts and their keys, manage folders, and view info on IAM resource operations and quotas.

Users with this role can:

• View the list of service accounts and info on them, as well as create, use, modify, and delete them.
• View the list of service account API keys and info on them, as well as create, modify, and delete them.
• View the list of service account static access keys and info on them, as well as create, modify, and delete them.
• View info on service account authorized keys, as well as create, modify, and delete them.
• View info on access permissions assigned for service accounts.
• View the list of operations and the info on IAM resource operations.
• View info on Identity and Access Management quotas.
• View info on the relevant cloud and its settings.
• View info on the relevant folders and their settings.
• Create, modify, delete, and setup folders.

This role also includes the iam.viewer permissions.

iam.adminiam.admin

The iam.admin role enables managing service accounts and access to them and their keys, as well as managing folders, viewing info on IAM resource operations and quotas, and getting IAM tokens for service accounts.

Users with this role can:

• View the list of service accounts and info on them, as well as create, use, modify, and delete them.
• View info on access permissions assigned for service accounts and modify such permissions.
• Get IAM tokens for service accounts.
• View the list of service account API keys and info on them, as well as create, modify, and delete them.
• View the list of service account static access keys and info on them, as well as create, modify, and delete them.
• View info on service account authorized keys, as well as create, modify, and delete them.
• View info on identity federations.
• View the list of operations and the info on Identity and Access Management resource operations.
• View info on Identity and Access Management quotas.
• View info on the relevant cloud and its settings.
• View info on the relevant folders and their settings.
• Create, modify, delete, and setup folders.

This role also includes the iam.editor and iam.serviceAccounts.admin permissions.

Primitive rolesPrimitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditorauditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

• View info on a resource.
• View the resource metadata.
• View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewerviewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role also includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editoreditor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role also includes the viewer permissions.

adminadmin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role also includes the editor permissions.

Instead of primitive roles, we recommend using service roles. This ensures more selective access control and implementation of the principle of least privilege.

For more information about primitive roles, see the Yandex Cloud role reference.

What roles do I needWhat roles do I need

The table below lists the roles required to perform a particular action. You can always assign a role offering more permissions than the one specified. For instance, you can assign editor instead of viewer.

Action	Methods	Required roles
Viewing data
Getting an IAM token	create	no roles needed, only authentication
Viewing user data	get, getByLogin	no roles needed, only authentication
Viewing service account data	get, list, listOperations	iam.serviceAccounts.user or viewer for the service account
Viewing information about a folder or cloud	get, list	iam.auditor for the folder or cloud
Viewing information about any resource	get, list	viewer for the resource
Managing resources
Creating service accounts in the folder	create	iam.serviceAccounts.admin for the folder
Updating and deleting service accounts	update, delete	editor for the service account
Creating and deleting keys for a service account	create, delete	iam.serviceAccounts.accessKeyAdmin, iam.serviceAccounts.apiKeyAdmin, iam.serviceAccounts.authorizedKeyAdmin, iam.serviceAccounts.keyAdmin for the service account
Resource access management
Adding a new user to the cloud	setAccessBindings	admin for the cloud
Making a new user the owner of the cloud	setAccessBindings, updateAccessBindings	resource-manager.clouds.owner role for the cloud
Granting a role, revoking a role, and viewing roles granted for the resource	setAccessBindings, updateAccessBindings, listAccessBindings	admin for the resource
Getting an IAM token for a service account	create	iam.serviceAccounts.tokenCreator for the service account

What's nextWhat's next

• How to assign a role.
• See how to revoke a role for more info.
• Learn more about access management in Yandex Cloud.
• Learn more about inheriting roles.