Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Configuring access permissions for a symmetric encryption key

Written by
Updated at November 27, 2025

You can grant access to a symmetric key to a user, service account, or user group. To do this, assign roles for the key. To choose the ones you need, learn about the service's roles.

Assigning a role

  1. In the management console, select the folder where the secret is stored.
  2. In the list of services, select Key Management Service.
  3. In the left-hand panel, select Symmetric keys.
  4. Click the name of the key you need.
  5. Go to Access bindings and click Assign roles.
  6. Select the group, user, or service account you want to grant access to the key.
  7. Click Add role and select the required roles.
  8. Click Save.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To assign a role for a symmetric key:

  1. See the description of the CLI role assignment command:

    yc kms symmetric-key add-access-binding --help

  2. Get a list of symmetric keys with their IDs:

    yc kms symmetric-key list

  3. Get the ID of the user, service account, or user group you are assigning a role to.

  4. Use one of these commands to assign a role:

    • To a user:

      yc kms symmetric-key add-access-binding \
  --id <key_ID> \
  --role <role> \
  --user-account-id <user_ID>

    • To a federated user:

      yc kms symmetric-key add-access-binding \
  --id <key_ID> \
  --role <role> \
  --subject federatedUser:<user_ID>

    • To a service account:

      yc kms symmetric-key add-access-binding \
  --id <key_ID> \
  --role <role> \
  --service-account-id <service_account_ID>

    • To a user group:

      yc kms symmetric-key add-access-binding \
  --id <key_ID> \
  --role <role> \
  --subject group:<group_ID>

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To assign a role for a symmetric encryption key using Terraform:

  1. In the Terraform configuration file, describe the resources you want to create:

    resource "yandex_kms_symmetric_key_iam_member" "key-viewers" {
  symmetric_encryption_key_id = "<key_ID>"

  role    = "<role>"
  members = ["<subject_type>:<subject_ID>","<subject_type>:<subject_ID>"]
}

    Where:

    • symmetric_encryption_key_id: ID of the symmetric encryption key.
    • role: Role being assigned.
    • members: Types and IDs of entities assigned the role. Use this format: userAccount:<user_ID> or serviceAccount:<service_account_ID>.

    For more information about yandex_kms_symmetric_key_iam_member resource properties, see this provider guide.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will create all the required resources. You can check the new resources using this CLI command:

    yc kms symmetric-key list-access-bindings <key_ID>

Use the updateAccessBindings method for the SymmetricKey resource or the SymmetricKeyService/UpdateAccessBindings gRPC API call and provide the following in the request:

  • ADD value in the accessBindingDeltas[].action parameter to add a role.
  • Role in the accessBindingDeltas[].accessBinding.roleId parameter.
  • ID of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.id parameter.
  • Type of the subject you are assigning the role to in the accessBindingDeltas[].accessBinding.subject.type parameter.

Assigning multiple roles

  1. In the management console, select the folder where the secret is stored.
  2. In the list of services, select Key Management Service.
  3. In the left-hand panel, select Symmetric keys.
  4. Click the name of the key you need.
  5. Go to Access bindings and click Assign roles.
  6. Select the group, user, or service account you want to grant access to the key.
  7. Click Add role and select the required roles.
  8. Click Save.

Alert

The set-access-bindings command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To assign multiple roles for a symmetric encryption key:

  1. Make sure the symmetric key has no roles assigned that you would not want to lose:

    yc kms symmetric-key list-access-bindings \
  --id <key_ID>

  2. See the description of the CLI role assignment command:

    yc kms symmetric-key set-access-bindings --help

  3. Get a list of symmetric encryption keys with their IDs:

    yc kms symmetric-key list

  4. Get the ID of the user, service account, or user group you are assigning roles to.

  5. Use one of the commands below to assign roles:

    • To a Yandex account user or local user:

      yc kms symmetric-key set-access-bindings \
  --id <key_ID> \
  --access-binding role=<role>,user-account-id=<user_ID>

    • To a federated user:

      yc kms symmetric-key set-access-bindings \
  --id <key_ID> \
  --access-binding role=<role>,subject=federatedUser:<user_ID>

    • To a service account:

      yc kms symmetric-key set-access-bindings \
  --id <key_ID> \
  --access-binding role=<role>,service-account-id=<service_account_ID>

    • To a user group:

      yc kms symmetric-key set-access-bindings \
  --id <key_ID> \
  --access-binding role=<role>,subject=group:<group_ID>

    Provide a separate --access-binding parameter for each role. Here is an example:

    yc kms symmetric-key set-access-bindings \
  --id <key_ID> \
  --access-binding role=<role1>,service-account-id=<service_account_ID> \
  --access-binding role=<role2>,service-account-id=<service_account_ID> \
  --access-binding role=<role3>,service-account-id=<service_account_ID>

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the relevant documentation on the Terraform website or its mirror.

If you do not have Terraform yet, install it and configure the Yandex Cloud provider.

To assign multiple roles for a symmetric encryption key using Terraform:

  1. In the Terraform configuration file, describe the resources you want to create:

    # Role 1
resource "yandex_kms_symmetric_key_iam_member" "key-viewers" {
  symmetric_encryption_key_id = "<key_ID>"

  role    = "<role_1>"
  members = ["<subject_type>:<subject_ID>"]
}

# Role 2
resource "yandex_kms_symmetric_key_iam_member" "key-editors" {
  symmetric_encryption_key_id = "<key_ID>"

  role    = "<role_2>"
  members = ["<subject_type>:<subject_ID>"]
}

    Where:

    • symmetric_encryption_key_id: ID of the symmetric encryption key.
    • role: Role being assigned.
    • members: Types and IDs of entities assigned the role. Use this format: userAccount:<user_ID> or serviceAccount:<service_account_ID>.

    For more information about yandex_kms_symmetric_key_iam_member resource properties, see this provider guide.

  2. Create the resources:

    1. In the terminal, go to the directory where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      You will see a detailed list of resources. No changes will be made at this step. If the configuration contains any errors, Terraform will show them.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

    Terraform will create all the required resources. You can check the new resources using this CLI command:

    yc kms symmetric-key list-access-bindings <key_ID>

Alert

The setAccessBindings method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.

Use the SetAccessBindings method for the SymmetricKey resource or the SymmetricKeyService/SetAccessBindings gRPC API call. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:

  • Role in the accessBindings[].roleId parameter.
  • ID of the subject getting the roles in the accessBindings[].subject.id parameter.
  • Type of the subject getting the roles in the accessBindings[].subject.type parameter.
Previous
Data encryption
Next
Encryption key pair