Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Managing access to a Managed Service for Kubernetes cluster

Written by
Updated at August 26, 2025

To grant a subject access to a cluster, assign them a role for the cluster.

Getting a list of roles assigned for a cluster

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. To get a list of clusters in the default folder, run this command:

    yc managed-kubernetes cluster list

  2. To get a list of roles assigned for the cluster, run this command:

    yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>

Assigning a role

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command for assigning a role for a cluster:

    yc managed-kubernetes cluster add-access-binding --help

  2. Use this command to assign a role:

    yc managed-kubernetes cluster add-access-binding <cluster_name_or_ID> \
  --role <role_ID> \
  --subject <subject_type>:<subject_ID>

    Where:

  3. To view a list of roles assigned for the cluster, run this command:

    yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>

Warning

Do not use the yandex_kubernetes_cluster_iam_member resource to assign roles managed by yandex_kubernetes_cluster_iam_binding.

  1. Open the current configuration file with the Managed Service for Kubernetes cluster description.

    For more information about creating this file, see Creating a Managed Service for Kubernetes cluster.

  2. Add a resource description:

    resource "yandex_kubernetes_cluster_iam_member" "<local_resource_name>" {
  cluster_id = "<cluster_ID>"
  role       = "<role_ID>"
  member     = "<subject_type>:<subject_ID>"
}

    Where:

    • cluster_id: Cluster ID.

    • role: ID of the role to assign.

    • member: Type and ID of the subject you are assigning the role to, in <subject_type>:<subject_ID> format.

      Here is an example:

      • serviceAccount:${yandex_iam_service_account.k8s_sa.id}
      • userAccount:ajerq94v************
      • system:allAuthenticatedUsers

      Possible subject types:

      To learn more about subject types, see the Subject a role is assigned to section.

  3. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    For more information, see the Terraform provider documentation.

  5. To view a list of roles assigned for the cluster, run this CLI command:

    yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>

Assigning multiple roles

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

Alert

The set-access-bindings command deletes all roles assigned for the cluster and assigns new ones.

  1. To view a list of roles assigned for the cluster, run this command:

    yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>

  2. See the description of the CLI command for assigning roles for a cluster:

    yc managed-kubernetes cluster set-access-bindings --help

  3. To assign roles, run this command:

    yc managed-kubernetes cluster set-access-bindings <cluster_name_or_ID> \
  --access-binding role=<role_1_ID>,subject=<subject_type>:<subject_1_ID> \
  --access-binding role=<role_2_ID>,subject=<subject_type>:<subject_2_ID>

    Where --access-binding assigns a role to a subject. You can assign multiple roles at once by describing each of them in a separate --access-binding parameter.

Warning

Do not use the yandex_kubernetes_cluster_iam_member resource to assign roles managed by yandex_kubernetes_cluster_iam_binding.

  1. Open the current Terraform configuration file that defines your infrastructure.

    For more information about creating this file, see Creating clusters.

  2. Add resource descriptions:

    resource "yandex_kubernetes_cluster_iam_member" "<resource_1_local_name>" {
  cluster_id = "<cluster_ID>"
  role       = "<role_1_ID>"
  member     = "<subject_type>:<subject_ID>"
}

resource "yandex_kubernetes_cluster_iam_member" "<resource_2_local_name>" {
  cluster_id = "<cluster_ID>"
  role       = "<role_2_ID>"
  member     = "<subject_type>:<subject_ID>"
}

    Where:

    • cluster_id: Cluster ID.

    • role: ID of the role to assign.

    • member: Type and ID of the subject you are assigning the role to, in <subject_type>:<subject_ID> format.

      Here is an example:

      • serviceAccount:${yandex_iam_service_account.k8s_sa.id}
      • userAccount:ajerq94v************
      • system:allAuthenticatedUsers

      Possible subject types:

      To learn more about subject types, see the Subject a role is assigned to section.

  3. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    For more information, see the Terraform provider documentation.

  5. To view a list of roles assigned for the cluster, run this CLI command:

    yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>

Revoking a role

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. To view a list of roles assigned for the cluster, run this command:

    yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>

  2. See the description of the CLI command for revoking a role for a cluster:

    yc managed-kubernetes cluster remove-access-binding --help

  3. To revoke a role, run this command:

    yc managed-kubernetes cluster remove-access-binding <cluster_name_or_ID> \
  --role <role_ID> \
  --subject <subject_type>:<subject_ID>

    Where:

Warning

Do not use the yandex_kubernetes_cluster_iam_member resource to assign roles managed by yandex_kubernetes_cluster_iam_binding.

  1. Open the current Terraform configuration file that defines your infrastructure.

    For more information about creating this file, see Creating clusters.

  2. Find the description of the resource with the role you want to revoke and delete this description:

    resource "yandex_kubernetes_cluster_iam_member" "<local_resource_name>" {
  cluster_id = "<cluster_ID>"
  role       = "<role_ID>"
  member     = "<subject_type>:<subject_ID>"
}

  3. Make sure the configuration files are correct.

    1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.

    2. Run this command:

      terraform validate

      Terraform will show any errors found in your configuration files.

  4. Confirm updating the resources.

    1. Run this command to view the planned changes:

      terraform plan

      If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.

    2. If everything looks correct, apply the changes:

      1. Run this command:

        terraform apply

      2. Confirm updating the resources.

      3. Wait for the operation to complete.

    For more information, see the Terraform provider documentation.

  5. To view a list of roles assigned for the cluster, run this CLI command:

    yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>
Previous
Creating a namespace in a Kubernetes cluster
Next
Monitoring cluster state Kubernetes