Managing access to Managed Service for Trino

In this section, you will learn:

• What resources you can assign a role for.
• Roles existing in this service.
• What roles are required for particular actions.

To use the service, log in to the management console with a Yandex account or federated account.

About access managementAbout access management

In Yandex Cloud, all transactions are checked in Yandex Identity and Access Management. If a subject does not have the required permission, the service returns an error.

To grant permissions for a resource, assign roles for this resource to the subject that will perform the operations. You can assign roles to a Yandex account, service account, federated users, user group, system group, or public group. For more information, see How access management works in Yandex Cloud.

To assign a role for a resource, a user needs the managed-trino.admin role or one of the following roles for that resource:

• admin
• resource-manager.admin
• organization-manager.admin
• resource-manager.clouds.owner
• organization-manager.organizations.owner

Resources you can assign a role forResources you can assign a role for

You can assign a role to an organization, cloud, or folder. The roles assigned for organizations, clouds, or folders also apply to nested resources.

To allow access to Managed Service for Trino resources, such as clusters and accounts, give the user the relevant roles for the folder, cloud, or organization containing those resources.

Roles existing in this serviceRoles existing in this service

Below is a list of all roles that are used to verify access rights in the service.

Service rolesService roles

managed-trino.auditormanaged-trino.auditor

The managed-trino.auditor role enables viewing info on Trino clusters and the quotas for Managed Service for Trino.

managed-trino.viewermanaged-trino.viewer

The managed-trino.viewer role enables viewing info on Trino clusters and the quotas for Managed Service for Trino.

This role also includes the managed-trino.auditor permissions.

managed-trino.usermanaged-trino.user

The managed-trino.user role enables performing basic operations on Trino clusters.

Users with this role can:

• Use the Trino web UI.
• Send requests to the Trino API.
• View info on Trino clusters.
• View info on the quotas for Managed Service for Trino.

This role also includes the managed-trino.viewer permissions.

managed-trino.editormanaged-trino.editor

The managed-trino.editor role enables managing Trino clusters and performing operations on them, as well as viewing the quotas for Managed Service for Trino.

Users with this role can:

• View info on Trino clusters, as well as create, modify, run, stop, and delete them.
• Use the Trino web UI.
• Send requests to the Trino API.
• View info on the quotas for Managed Service for Trino.

This role also includes the managed-trino.user permissions.

To create Trino clusters, you also need the vpc.user role.

managed-trino.adminmanaged-trino.admin

The managed-trino.admin role enables managing Trino clusters and performing operations on them, as well as viewing the quotas for Managed Service for Trino.

Users with this role can:

• View info on Trino clusters, as well as create, modify, run, stop, and delete them.
• Use the Trino web UI.
• Send requests to the Trino API.
• View info on the quotas for Managed Service for Trino.

This role also includes the managed-trino.editor permissions.

To create Trino clusters, you also need the vpc.user role.

managed-trino.integrationProvidermanaged-trino.integrationProvider

The managed-trino.integrationProvider role enables a Trino cluster to work with user resources required for its operation on behalf of a service account. You need to assign this role to a service account linked to a Trino cluster.

Users with this role can:

• Add entries to log groups.
• View info on log groups.
• View info on log sinks.
• View info on granted access permissions for Cloud Logging resources.
• View info on log exports.
• View info on metrics and their labels, as well as upload and download metrics.
• View lists of dashboards and widgets and info on them, as well as create, modify, and delete them.
• View notification history.
• View details on Monitoring quotas.
• View info on the relevant cloud and folder.

This role also includes the logging.writer and monitoring.editor permissions.

Primitive rolesPrimitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditorauditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

• View info on a resource.
• View the resource metadata.
• View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewerviewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role also includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editoreditor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role also includes the viewer permissions.

adminadmin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role also includes the editor permissions.

Instead of primitive roles, we recommend using service roles. This ensures more selective access control and implementation of the principle of least privilege.

For more information about primitive roles, see the Yandex Cloud role reference.

Roles requiredRoles required

To use the service, the user needs the managed-trino.editor role or higher for the folder in which the cluster is created. With the managed-trino.viewer role, one can only view the list of clusters.

To create an Managed Service for Trino cluster, the following roles are required: vpc.user, iam.serviceAccounts.user, and managed-trino.admin or higher.

You can always assign a role with more permissions. For example, you can assign the managed-trino.admin role instead of managed-trino.editor.

What's nextWhat's next

• How to assign a role.
• How to revoke a role.
• Learn more about access management in Yandex Cloud.
• Learn more about inheriting roles.