Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Managing access to a Managed Service for ClickHouse® cluster

Written by
Updated at April 9, 2026

You can assign a user or service account a role that grants access to a specific cluster.

This way, you can granularly assign different roles for specific clusters to different users and service accounts.

Getting a list of roles assigned for a cluster

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. To get a list of clusters in the default folder, run this command:

    yc managed-clickhouse cluster list

  2. To get a list of roles assigned for the cluster, run this command:

    yc managed-clickhouse cluster list-access-bindings <cluster_name_or_ID>

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the Cluster.ListAccessBindings method, e.g., via the following cURL request:

    curl \
  --request GET \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>:listAccessBindings'

  3. View the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the ClusterService.ListAccessBindings method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/cluster_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "resource_id": "<cluster_ID>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.clickhouse.v1.ClusterService.ListAccessBindings

  4. Check the server response to make sure your request was successful.

Assigning a role

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. View the description of the CLI command for assigning a role for a cluster:

    yc managed-clickhouse cluster add-access-binding --help

  2. Use this command to assign a role:

    yc managed-clickhouse cluster add-access-binding <cluster_name_or_ID> \
  --role <role> \
  --subject <subject_type>:<subject_ID>

    Where:

    • --role: Role being assigned, e.g., managed-clickhouse.editor.

    • --subject: Type and ID of the subject you are assigning the role to, in <subject_type>:<subject_ID> format.

      Here is an example:

      • serviceAccount:aje6p030************
      • userAccount:aje8tj79************
      • system:allAuthenticatedUsers

      The possible subject types include:

      Learn more about subject types in Subject a role is assigned to.

  3. To view a list of roles assigned for the cluster, run this command:

    yc managed-clickhouse cluster list-access-bindings <cluster_name_or_ID>

  1. Open the current configuration file with the Managed Service for ClickHouse® cluster description.

    For more on how to create this file, see Creating a ClickHouse® cluster.

  2. Add a resource description:

    resource "yandex_mdb_clickhouse_cluster_iam_binding" "<local_resource_name>" {
  cluster_id = "<cluster_ID>"
  role       = "<role>"
  members    = ["<subject_type>:<subject_ID>"]
}

    Where:

    • cluster_id: Cluster ID.

    • role: Role being assigned, e.g., managed-clickhouse.editor.

    • members: List of types and IDs of subjects the role is assigned to in <subject_type>:<subject_ID> format.

      Here is an example:

      • serviceAccount:${yandex_iam_service_account.mch_sa.id}
      • userAccount:ajerq94vab34********
      • system:allAuthenticatedUsers

      The possible subject types include:

      Learn more about subject types in Subject a role is assigned to.

  3. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    For more information, see this Terraform provider guide.

  5. To view a list of roles assigned for the cluster, run this CLI command:

    yc managed-clickhouse cluster list-access-bindings <cluster_name_or_ID>

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the Cluster.UpdateAccessBindings method, e.g., via the following cURL request:

    curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>:updateAccessBindings' \
  --data '{
            "access_binding_deltas": [
              {
                "action": "ADD",
                "access_binding": {
                  "role_id": "<role>",
                  "subject": {
                    "id": "<subject_ID>",
                    "type": "<subject_type>"
                  }
                }
              }
            ]
          }'

    Where:

    • access_binding_deltas.roleId: Role being assigned, e.g., managed-clickhouse.editor.

    • access_binding_deltas.subject.id: ID of the subject getting the role.

    • access_binding_deltas.subject.type: Type of subject the role is assigned to.

      The possible subject types include:

      Learn more about subject types in Subject a role is assigned to.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the ClusterService.UpdateAccessBindings method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/cluster_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "resource_id": "<cluster_ID>",
        "access_binding_deltas": [
          {
            "action": "ADD",
            "access_binding": {
              "role_id": "<role>",
              "subject": {
                "id": "<subject_ID>",
                "type": "<subject_type>"
              }
            }
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.clickhouse.v1.ClusterService.UpdateAccessBindings

    Where:

    • resource_id: Cluster ID.

    • access_binding_deltas.roleId: Role being assigned, e.g., managed-clickhouse.editor.

    • access_binding_deltas.subject.id: ID of the subject getting the role.

    • access_binding_deltas.subject.type: Type of subject the role is assigned to.

      The possible subject types include:

      Learn more about subject types in Subject a role is assigned to.

  4. Check the server response to make sure your request was successful.

Assigning multiple roles

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

Alert

The set-access-bindings command deletes all roles assigned for the cluster and assigns new ones.

  1. To view a list of roles assigned for the cluster, run this command:

    yc managed-clickhouse cluster list-access-bindings <cluster_name_or_ID>

  2. View the description of the CLI command for assigning roles for a cluster:

    yc managed-clickhouse cluster set-access-bindings --help

  3. To assign roles, run this command:

    yc managed-clickhouse cluster set-access-bindings <cluster_name_or_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_1_ID> \
  --access-binding role=<role>,subject=<subject_type>:<subject_2_ID>

    Where --access-binding assigns a role to a subject. You can assign multiple roles at once by describing each of them in a separate --access-binding parameter.

    • role: Role being assigned, e.g., managed-clickhouse.editor.

    • subject: Type and ID of the subject you are assigning the role to, in <subject_type>:<subject_ID> format.

      Here is an example:

      • serviceAccount:aje6p030************
      • userAccount:aje8tj79************
      • system:allAuthenticatedUsers

      The possible subject types include:

      Learn more about subject types in Subject a role is assigned to.

  1. Open the current Terraform configuration file describing your infrastructure.

    For more on how to create this file, see Creating a cluster.

  2. Add resource descriptions:

    resource "yandex_mdb_clickhouse_cluster_iam_binding" "<resource_1_local_name>" {
  cluster_id = "<cluster_ID>"
  role       = "<role_1>"
  members    = ["<subject_type>:<subject_ID>"]
}

resource "yandex_mdb_clickhouse_cluster_iam_binding" "<resource_2_local_name>" {
  cluster_id = "<cluster_ID>"
  role       = "<role_2>"
  members    = ["<subject_type>:<subject_ID>"]
}

    Where:

    • cluster_id: Cluster ID.

    • role: Role being assigned, e.g., managed-clickhouse.editor.

    • members: List of types and IDs of subjects the role is assigned to in <subject_type>:<subject_ID> format.

      Here is an example:

      • serviceAccount:${yandex_iam_service_account.mch_sa.id}
      • userAccount:ajerq94vab34********
      • system:allAuthenticatedUsers

      The possible subject types include:

      Learn more about subject types in Subject a role is assigned to.

  3. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    For more information, see this Terraform provider guide.

  5. To view a list of roles assigned for the cluster, run this CLI command:

    yc managed-clickhouse cluster list-access-bindings <cluster_name_or_ID>

Alert

The setAccessBindings method overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the Cluster.SetAccessBindings method, e.g., via the following cURL request:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>:setAccessBindings' \
  --data '{
            "accessBindings": [
              {
                "roleId": "<role>",
                "subject": {
                  "id": "<subject_1_ID>",
                  "type": "<subject_type>"
                }
              },
              {
                "roleId": "<role>",
                "subject": {
                  "id": "<subject_2_ID>",
                  "type": "<subject_type>"
                }
              },
              ...
              {
                "roleId": "<role>",
                "subject": {
                  "id": "<subject_N_ID>",
                  "type": "<subject_type>"
                }
              }
            ]
          }'

    Where:

    • accessBindings.roleId: Role being assigned, e.g., managed-clickhouse.editor.

    • accessBindings.subject.id: ID of the subject getting the role.

    • accessBindings.subject.type: Type of subject the role is assigned to.

      The possible subject types include:

      Learn more about subject types in Subject a role is assigned to.

  3. Check the server response to make sure your request was successful.

Alert

The ClusterService.SetAccessBindings method completely overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the ClusterService.SetAccessBindings method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/cluster_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "resource_id": "<cluster_ID>",
        "accessBindings": [
          {
            "roleId": "<role>",
            "subject": {
              "id": "<subject_1_ID>",
              "type": "<subject_type>"
            }
          },
          {
            "roleId": "<role>",
            "subject": {
              "id": "<subject_2_ID>",
              "type": "<subject_type>"
            }
          },
          ...
          {
            "roleId": "<role>",
            "subject": {
              "id": "<subject_N_ID>",
              "type": "<subject_type>"
            }
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.clickhouse.v1.ClusterService.SetAccessBindings

    Where:

    • resource_id: Cluster ID.

    • accessBindings.roleId: Role being assigned, e.g., managed-clickhouse.editor.

    • accessBindings.subject.id: ID of the subject getting the role.

    • accessBindings.subject.type: Type of subject the role is assigned to.

      The possible subject types include:

      Learn more about subject types in Subject a role is assigned to.

  4. Check the server response to make sure your request was successful.

Revoking a role

If you do not have the Yandex Cloud CLI yet, install and initialize it.

The folder used by default is the one specified when creating the CLI profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id options.

  1. To view a list of roles assigned for the cluster, run this command:

    yc managed-clickhouse cluster list-access-bindings <cluster_name_or_ID>

  2. View the description of the CLI command for revoking a role for a cluster:

    yc managed-clickhouse cluster remove-access-binding --help

  3. To revoke a role, run this command:

    yc managed-clickhouse cluster remove-access-binding <cluster_name_or_ID> \
  --role <role> \
  --subject <subject_type>:<subject_ID>

    Where:

    • --role: Role being revoked, e.g., managed-clickhouse.editor.

    • --subject: Type and ID of the subject the role is assigned to, in <subject_type>:<subject_ID> format.

      Here is an example:

      • serviceAccount:aje6p030************
      • userAccount:aje8tj79************
      • system:allAuthenticatedUsers

      The possible subject types include:

      Learn more about subject types in Subject a role is assigned to.

  1. Open the current Terraform configuration file describing your infrastructure.

    For more on how to create this file, see Creating a cluster.

  2. Find the description of the resource with the role you want to revoke and delete this description:

    resource "yandex_mdb_clickhouse_cluster_iam_binding" "<local_resource_name>" {
  cluster_id = "<cluster_ID>"
  role       = "<role>"
  members    = ["<subject_type>:<subject_ID>"]
}

  3. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    For more information, see this Terraform provider guide.

  5. To view a list of roles assigned for the cluster, run this CLI command:

    yc managed-clickhouse cluster list-access-bindings <cluster_name_or_ID>

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Call the Cluster.UpdateAccessBindings method, e.g., via the following cURL request:

    curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>:updateAccessBindings' \
  --data '{
            "access_binding_deltas": [
              {
                "action": "REMOVE",
                "access_binding": {
                  "role_id": "<role>",
                  "subject": {
                    "id": "<subject_ID>",
                    "type": "<subject_type>"
                  }
                }
              }
            ]
          }'

    Where:

    • access_binding_deltas.roleId: Role being assigned, e.g., managed-clickhouse.editor.

    • access_binding_deltas.subject.id: ID of the subject getting the role.

    • access_binding_deltas.subject.type: Type of subject the role is assigned to.

      The possible subject types include:

      Learn more about subject types in Subject a role is assigned to.

  3. Check the server response to make sure your request was successful.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Call the ClusterService.UpdateAccessBindings method, e.g., via the following gRPCurl request:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/cluster_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "resource_id": "<cluster_ID>",
        "access_binding_deltas": [
          {
            "action": "REMOVE",
            "access_binding": {
              "role_id": "<role>",
              "subject": {
                "id": "<subject_ID>",
                "type": "<subject_type>"
              }
            }
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.clickhouse.v1.ClusterService.UpdateAccessBindings

    Where:

    • resource_id: Cluster ID.

    • access_binding_deltas.roleId: Role being revoked, e.g., managed-clickhouse.editor.

    • access_binding_deltas.subject.id: ID of the subject to revoke the role from.

    • access_binding_deltas.subject.type: Subject type to revoke a role from.

      The possible subject types include:

      Learn more about subject types in Subject a role is assigned to.

  4. Check the server response to make sure your request was successful.

Examples

Granting cluster management access to a service account

For a service account to be able to view the info of all Managed Service for ClickHouse® clusters in the folder but modify the resources in one particular cluster alone, give it the managed-clickhouse.viewer role for the folder and the managed-clickhouse.editor role for that cluster:

  1. Assign the role for the folder:

    yc resource-manager folder add-access-binding <folder_name_or_ID> \
  --role managed-clickhouse.viewer \
  --subject=serviceAccount:<service_account_ID>

  2. Assign the roles for the cluster:

    yc managed-clickhouse cluster add-access-binding <cluster_name_or_ID> \
  --access-binding role=managed-clickhouse.editor,subject=serviceAccount:<service_account_ID>

  3. Check the list of roles assigned for the cluster:

    yc managed-clickhouse cluster list-access-bindings <cluster_name_or_ID>

  1. Open the current Terraform configuration file describing your infrastructure.

    For more on how to create this file, see Creating a cluster.

  2. Add resource descriptions:

    resource "yandex_resourcemanager_folder_iam_member" "mch-viewer-account-iam" {
  folder_id   = "<folder_ID>"
  role        = "managed-clickhouse.viewer"
  member      = "serviceAccount:<service_account_ID>"
}

resource "yandex_mdb_clickhouse_cluster_iam_binding" "mch-cluster-api-editor" {
  cluster_id = "<cluster_ID>"
  role       = "managed-clickhouse.editor"
  members    = ["serviceAccount:<service_account_ID>"]
}

  3. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Assign the role for the folder:

    curl \
  --request POST \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:updateAccessBindings' \
  --data '{
            "access_binding_deltas": [
              {
                "action": "ADD",
                "access_binding": {
                  "role_id": "managed-clickhouse.viewer",
                  "subject": {
                    "id": "<service_account_ID>",
                    "type": "serviceAccount"
                  }
                }
              }
            ]
          }'

    access_binding_deltas.subject.id: ID of the service account the role is assigned to.

  3. Call the Cluster.UpdateAccessBindings method, e.g., via the following cURL request:

    curl \
  --request PATCH \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>:updateAccessBindings' \
  --data '{
            "access_binding_deltas": [
              {
                "action": "ADD",
                "access_binding": {
                  "role_id": "managed-clickhouse.editor",
                  "subject": {
                    "id": "<service_account_ID>",
                    "type": "serviceAccount"
                  }
                }
              }
            ]
          }'

    access_binding_deltas.subject.id: ID of the service account the role is assigned to.

  4. Check the list of roles assigned for the folder:

    curl \
  --request GET \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:updateAccessBindings'

  5. Check the list of roles assigned for the cluster:

    curl \
  --request GET \
  --header "Authorization: Bearer $IAM_TOKEN" \
  --header "Content-Type: application/json" \
  --url 'https://mdb.api.cloud.yandex.net/managed-clickhouse/v1/clusters/<cluster_ID>:listAccessBindings'

  1. Get an IAM token for API authentication and put it into an environment variable:

    export IAM_TOKEN="<IAM_token>"

  2. Clone the cloudapi repository:

    cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi

    Below, we assume that the repository contents reside in the ~/cloudapi/ directory.

  3. Assign the role for the folder:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "resource_id": "<cluster_ID>",
        "access_binding_deltas": [
          {
            "action": "ADD",
            "access_binding": {
              "role_id": "managed-clickhouse.viewer",
              "subject": {
                "id": "<service_account_ID>",
                "type": "serviceAccount"
              }
            }
          }
        ]
      }' \
  resource-manager.api.cloud.yandex.net:443 \
  yandex.cloud.resourcemanager.v1.FolderService.UpdateAccessBindings

    access_binding_deltas.subject.id: ID of the service account the role is assigned to.

  4. Assign the role for the cluster:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/cluster_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "resource_id": "<cluster_ID>",
        "access_binding_deltas": [
          {
            "action": "ADD",
            "access_binding": {
              "role_id": "managed-clickhouse.editor",
              "subject": {
                "id": "<service_account_ID>",
                "type": "serviceAccount"
              }
            }
          }
        ]
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.clickhouse.v1.ClusterService.UpdateAccessBindings

    access_binding_deltas.subject.id: ID of the service account the role is assigned to.

  5. Check the list of roles assigned for the folder:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "resource_id": "<folder_ID>"
      }' \
  resource-manager.api.cloud.yandex.net:443 \
  yandex.cloud.resourcemanager.v1.FolderService.ListAccessBindings

  6. Check the list of roles assigned for the cluster:

    grpcurl \
  -format json \
  -import-path ~/cloudapi/ \
  -import-path ~/cloudapi/third_party/googleapis/ \
  -proto ~/cloudapi/yandex/cloud/mdb/clickhouse/v1/cluster_service.proto \
  -rpc-header "Authorization: Bearer $IAM_TOKEN" \
  -d '{
        "resource_id": "<cluster_ID>"
      }' \
  mdb.api.cloud.yandex.net:443 \
  yandex.cloud.mdb.clickhouse.v1.ClusterService.ListAccessBindings
Previous
Managing backups
Next
Deleting a cluster