Configuring access permissions for a digital signature key pair
You can grant access to an asymmetric digital signature key pair to a user, service account, or user group. To do this, assign rolesfor the digital signature key pair. To choose the ones you need, learn about the service's roles.
Assigning a role
- In the management console
, select a folder containing an asymmetric encryption key pair. - In the list of services, select Key Management Service.
- In the left-hand panel, select Asymmetric keys.
- On the Signature tab, click the name of the key pair.
- Go to
Access bindings and click Assign roles. - Select the group, user, or service account you want to grant access to the key pair.
- Click
Add role and select the required roles. - Click Save.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also set a different folder for any specific command using the --folder-name
or --folder-id
parameter.
To assign a role for an asymmetric digital signature key pair:
-
See the description of the CLI role assignment command:
yc kms asymmetric-signature-key add-access-binding --help
-
Get a list of digital signature key pairs with their IDs:
yc kms asymmetric-signature-key list
-
Get the ID of the user, service account, or user group you are assigning a role to.
-
Use one of these commands to assign a role:
-
To a user:
yc kms asymmetric-signature-key add-access-binding \ --id <key_pair_ID> \ --role <role> \ --user-account-id <user_ID>
-
To a federated user:
yc kms asymmetric-signature-key add-access-binding \ --id <key_pair_ID> \ --role <role> \ --subject federatedUser:<user_ID>
-
To a service account:
yc kms asymmetric-signature-key add-access-binding \ --id <key_pair_ID> \ --role <role> \ --service-account-id <service_account_ID>
-
To a user group:
yc kms asymmetric-signature-key add-access-binding \ --id <key_pair_ID> \ --role <role> \ --subject group:<group_ID>
-
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
To assign a role for an asymmetric digital signature key pair through Terraform:
-
In the Terraform configuration file, define the parameters of the resources you want to create:
resource "yandex_kms_asymmetric_signature_key" "key-viewers" { asymmetric_signaturen_key_id = "<key_pair_ID>" role = "<role_1>" members = ["<subject_type>:<subject_ID>"] }
Where:
asymmetric_signaturen_key_id
: ID of the digital signature key pair.role
: Role.members
: List of types and IDs of subjects getting the role. Specify it asuserAccount:<user_ID>
orserviceAccount:<service_account_ID>
.
For more information about the
yandex_kms_asymmetric_signature_key
resource properties, see the provider documentation . -
Create the resources:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
Terraform will create all required resources. You can check the new resources using this CLI command:
yc kms asymmetric-signature-key list-access-bindings <key_pair_ID>
-
Use the updateAccessBindings method for the AsymmetricSignatureKey resource or the AsymmetricSignatureKeyService/UpdateAccessBindings gRPC API call and provide the following in the request:
ADD
value in theaccess_binding_deltas[].action
parameter to add a role.- Role in the
access_binding_deltas[].access_binding.role_id
parameter. - ID of the subject you are assigning the role to in the
access_binding_deltas[].access_binding.subject.id
parameter. - Type of the subject you are assigning the role to in the
access_binding_deltas[].access_binding.subject.type
parameter.
Assigning multiple roles
- In the management console
, select a folder containing an asymmetric encryption key pair. - In the list of services, select Key Management Service.
- In the left-hand panel, select Asymmetric keys.
- On the Signature tab, click the name of the key pair.
- Go to
Access bindings and click Assign roles. - Select the group, user, or service account you want to grant access to the key pair.
- Click
Add role and select the required roles. - Click Save.
Alert
The set-access-bindings
command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.
If you do not have the Yandex Cloud CLI yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID>
command. You can also set a different folder for any specific command using the --folder-name
or --folder-id
parameter.
To assign multiple roles for a digital signature key pair:
-
Make sure the key pair has no roles assigned that you would not want to lose:
yc kms asymmetric-signature-key list-access-bindings \ --id <key_pair_ID>
-
See the description of the CLI role assignment command:
yc kms asymmetric-signature-key set-access-bindings --help
-
Get a list of digital signature key pairs with their IDs:
yc kms asymmetric-signature-key list
-
Get the ID of the user, service account, or user group you are assigning roles to.
-
Use one of the commands below to assign roles:
-
To a Yandex account user:
yc kms asymmetric-signature-key set-access-bindings \ --id <key_pair_ID> \ --access-binding role=<role>,user-account-id=<user_ID>
-
To a federated user:
yc kms asymmetric-signature-key set-access-bindings \ --id <key_pair_ID> \ --access-binding role=<role>,subject=federatedUser:<user_ID>
-
To a service account:
yc kms asymmetric-signature-key set-access-bindings \ --id <key_pair_ID> \ --access-binding role=<role>,service-account-id=<service_account_ID>
-
To a user group:
yc kms asymmetric-signature-key set-access-bindings \ --id <key_pair_ID> \ --access-binding role=<role>,subject=group:<group_ID>
Provide a separate
--access-binding
flag for each role. For example:yc kms asymmetric-signature-key set-access-bindings \ --id <key_pair_ID> \ --access-binding role=<role1>,service-account-id=<service_account_ID> \ --access-binding role=<role2>,service-account-id=<service_account_ID> \ --access-binding role=<role3>,service-account-id=<service_account_ID>
-
With Terraform
Terraform is distributed under the Business Source License
For more information about the provider resources, see the documentation on the Terraform
If you do not have Terraform yet, install it and configure its Yandex Cloud provider.
To assign multiple roles for an asymmetric digital signature key pair through Terraform:
-
In the Terraform configuration file, define the parameters of the resources you want to create:
# Role 1 resource "yandex_kms_asymmetric_signature_key" "key-viewers" { asymmetric_signaturen_key_id = "<key_pair_ID>" role = "<role_1>" members = ["<subject_type>:<subject_ID>"] } # Role 2 resource "yandex_kms_asymmetric_signature_key" "key-editors" { asymmetric_signaturen_key_id = "<key_pair_ID>" role = "<role_2>" members = ["<subject_type>:<subject_ID>"] }
Where:
asymmetric_signaturen_key_id
: ID of the digital signature key pair.role
: Role.members
: List of types and IDs of subjects getting the role. Specify it asuserAccount:<user_ID>
orserviceAccount:<service_account_ID>
.
For more information about the
yandex_kms_asymmetric_signature_key
resource properties, see the provider documentation . -
Create the resources:
-
In the terminal, go to the directory where you edited the configuration file.
-
Make sure the configuration file is correct using this command:
terraform validate
If the configuration is correct, you will get this message:
Success! The configuration is valid.
-
Run this command:
terraform plan
You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.
-
Apply the changes:
terraform apply
-
Type
yes
and press Enter to confirm the changes.
Terraform will create all required resources. You can check the new resources using this CLI command:
yc kms asymmetric-signature-key list-access-bindings <key_pair_ID>
-
Alert
The setAccessBindings
method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.
Use the SetAccessBindings method for the AsymmetricSignatureKey resource or the AsymmetricSignatureKeyService/SetAccessBindings gRPC API call. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:
- Role in the
access_bindings[].role_id
parameter. - ID of the subject getting the roles in the
access_bindings[].subject.id
parameter. - Type of the subject getting the roles in the
access_bindings[].subject.type
parameter.