Configuring access permissions for a symmetric encryption key
You can grant access to a symmetric key to a user, service account, or user group. To do this, assign roles for the key. To choose the ones you need, learn about the service's roles.
Assigning a role
- In the management console
, select the folder where the secret is stored. - In the list of services, select Key Management Service.
- In the left-hand panel, select
Symmetric keys. - Click the name of the key you need.
- Go to the
Access bindings section and click Assign bindings. - Select the group, user, or service account you want to grant access to the key.
- Click
Add role and select the roles. - Click Save.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign a role for a symmetric key:
-
See the description of the CLI role assignment command:
yc kms symmetric-key add-access-binding --help
-
Get a list of symmetric keys with their IDs:
yc kms symmetric-key list
-
Get the ID of the user, service account, or user group you are assigning a role to.
-
Use one of these commands to assign a role:
-
To a user:
yc kms symmetric-key add-access-binding \ --id <key_ID> \ --role <role> \ --user-account-id <user_ID>
-
To a federated user:
yc kms symmetric-key add-access-binding \ --id <key_ID> \ --role <role> \ --subject federatedUser:<user_ID>
-
To a service account:
yc kms symmetric-key add-access-binding \ --id <key_ID> \ --role <role> \ --service-account-id <service_account_ID>
-
To a user group:
yc kms symmetric-key add-access-binding \ --id <key_ID> \ --role <role> \ --subject group:<group_ID>
-
Use the updateAccessBindings method for the SymmetricKey resource or the SymmetricKeyService/UpdateAccessBindings gRPC API call and provide the following in the request:
ADD
in theaccessBindingDeltas[].action
parameter to add a role.- Role in the
accessBindingDeltas[].accessBinding.roleId
parameter. - ID of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.id
parameter. - Type of the subject you are assigning the role to in the
accessBindingDeltas[].accessBinding.subject.type
parameter.
Assigning multiple roles
- In the management console
, select the folder where the secret is stored. - In the list of services, select Key Management Service.
- In the left-hand panel, select
Symmetric keys. - Click the name of the key you need.
- Go to the
Access bindings section and click Assign bindings. - Select the group, user, or service account you want to grant access to the key.
- Click
Add role and select the roles. - Click Save.
Alert
The set-access-bindings
command for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
To assign multiple roles for a symmetric encryption key:
-
Make sure the symmetric key has no roles assigned that you would not want to lose:
yc kms symmetric-key list-access-bindings \ --id <key_ID>
-
See the description of the CLI role assignment command:
yc kms symmetric-key set-access-bindings --help
-
Get a list of symmetric encryption keys with their IDs:
yc kms symmetric-key list
-
Get the ID of the user, service account, or user group you are assigning roles to.
-
Use one of the commands below to assign roles:
-
To a Yandex account user:
yc kms symmetric-key set-access-bindings \ --id <key_ID> \ --access-binding role=<role>,user-account-id=<user_ID>
-
To a federated user:
yc kms symmetric-key set-access-bindings \ --id <key_ID> \ --access-binding role=<role>,subject=federatedUser:<user_ID>
-
To a service account:
yc kms symmetric-key set-access-bindings \ --id <key_ID> \ --access-binding role=<role>,service-account-id=<service_account_ID>
-
To a user group:
yc kms symmetric-key set-access-bindings \ --id <key_ID> \ --access-binding role=<role>,subject=group:<group_ID>
Provide a separate
--access-binding
flag for each role. Example:yc kms symmetric-key set-access-bindings \ --id <key_ID> \ --access-binding role=<role_1>,service-account-id=<service_account_ID> \ --access-binding role=<role_2>,service-account-id=<service_account_ID> \ --access-binding role=<role_3>,service-account-id=<service_account_ID>
-
Alert
The setAccessBindings
method for assigning multiple roles completely rewrites access permissions for the resource. All current resource roles will be deleted.
Use the setAccessBindings method for the SymmetricKey resource or the SymmetricKeyService/SetAccessBindings gRPC API call. In your request, provide an array of objects, each one corresponding to a particular role and containing the following data:
- Role in the
accessBindings[].roleId
parameter. - ID of the subject getting the roles in the
accessBindings[].subject.id
parameter. - Type of the subject getting the roles in the
accessBindings[].subject.type
parameter.