Yandex Cloud
Search
Contact UsGet started
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • AI Studio
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Start testing with double trial credits
    • Cloud credits to scale your IT product
    • Gateway to Russia
    • Cloud for Startups
    • Center for Technologies and Society
    • Yandex Cloud Partner program
  • Pricing
  • Customer Stories
  • Documentation
  • Blog
© 2025 Direct Cursus Technology L.L.C.
Yandex Cloud Logging
  • Getting started
    • All guides
    • Adding records
    • Reading records
    • Managing log group access permissions
  • Access management
  • Pricing policy
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes
  • FAQ

In this article:

  • Viewing roles assigned for a log group
  • Assigning roles for a log group
  • Revoking roles assigned for a log group
  1. Step-by-step guides
  2. Managing log group access permissions

Managing log group access permissions

Written by
Yandex Cloud
Updated at June 9, 2025
  • Viewing roles assigned for a log group
  • Assigning roles for a log group
  • Revoking roles assigned for a log group

You can view the roles assigned for a log group, revoke them, or assign new ones.

Note

The default log group inherits the roles assigned for the folder it resides in. To update the log group access permissions, assign or revoke the roles for the folder.

Viewing roles assigned for a log groupViewing roles assigned for a log group

CLI
API

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

To view the roles assigned for a custom log group, run this command:

yc logging group list-access-bindings --name=<log_group_name>

Result:

+---------+--------------+-----------------------+
| ROLE ID | SUBJECT TYPE |      SUBJECT ID       |
+---------+--------------+-----------------------+
| editor  | system       | allAuthenticatedUsers |
+---------+--------------+-----------------------+

To view the roles assigned for a custom log group, use the listAccessBindings REST API method for the LogGroup resource or the LogGroupService/ListAccessBindings gRPC API call.

Assigning roles for a log groupAssigning roles for a log group

CLI
API

Run the following command to assign a role for a custom log group:

  • To a user:

    yc logging group add-access-binding \
      --name <log_group_name> \
      --user-account-id <user_ID> \
      --role <role>
    

    Result:

    done (1s)
    
  • To a service account:

    yc logging group add-access-binding \
      --name <log_group_name> \
      --service-account-id <service_account_ID> \
      --role <role>
    

    Result:

    done (1s)
    
  • To all authenticated users (the All authenticated users public group):

    yc logging group add-access-binding \
      --name <log_group_name> \
      --all-authenticated-users \
      --role <role>
    

    Result:

    done (1s)
    

To assign roles for a custom log group, use the setAccessBindings REST API method for the LogGroup resource or the LogGroupService/SetAccessBindings gRPC API call.

Revoking roles assigned for a log groupRevoking roles assigned for a log group

CLI
API

Run this command to revoke a role assigned for a custom log group:

  • From a user:

    yc logging group remove-access-binding \
      --name <log_group_name> \
      --user-account-id <user_ID> \
      --role <role>
    

    Result:

    done (1s)
    
  • From a service account:

    yc logging group remove-access-binding \
      --name <log_group_name> \
      --service-account-id <service_account_ID> \
      --role <role>
    

    Result:

    done (1s)
    
  • From all authenticated users (the All authenticated users public group):

    yc logging group remove-access-binding \
      --name <log_group_name> \
      --all-authenticated-users \
      --role <role>
    

    Result:

    done (1s)
    

To revoke roles assigned to a custom log group, use the updateAccessBindings REST API method for the LogGroup resource or the LogGroupService/UpdateAccessBindings gRPC API call.

Was the article helpful?

Previous
Reading records
Next
Getting a list of log groups
© 2025 Direct Cursus Technology L.L.C.