Setting up access for OIDC app users in Yandex Identity Hub
To grant access to an OIDC app, assign roles to subjects. Learn what roles the service has and assign the required ones.
If you do not have the Yandex Cloud CLI installed yet, install and initialize it.
By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.
-
See the description of the CLI command for assigning roles to OIDC app users:
yc organization-manager idp application oauth application set-access-bindings --help -
Get a list of OIDC apps and their IDs:
yc organization-manager idp application oauth application list --organization-id <organization_ID>Where
--organization-idis the ID of the organization you need the list of OIDC apps for. -
Get the ID of the user, service account, or user group you are assigning roles to.
-
Using the
yc organization-manager idp application oauth application set-access-bindingscommand, assign the following roles:-
To a Yandex account user or local user:
yc organization-manager idp application oauth application set-access-bindings \ --id <app_ID> \ --access-binding role=<role>,user-account-id=<user_ID> -
To a federated user:
yc organization-manager idp application oauth application set-access-bindings \ --id <app_ID> \ --access-binding role=<role>,subject=federatedUser:<user_ID> -
To a service account:
yc organization-manager idp application oauth application set-access-bindings \ --id <app_ID> \ --access-binding role=<role>,service-account-id=<service_account_ID> -
To a user group:
yc organization-manager idp application oauth application set-access-bindings \ --id <app_ID> \ --access-binding role=<role>,subject=group:<group_ID> -
To all authenticated users (the
All authenticated userspublic group):yc organization-manager idp application oauth application set-access-bindings \ --id <app_ID> \ --access-binding role=<role>,all-authenticated-users
Provide a separate
--access-bindingparameter for each role. Here is an example:yc organization-manager idp application oauth application set-access-bindings \ --id <app_ID> \ --access-binding role=<role1>,service-account-id=<service_account_ID> \ --access-binding role=<role2>,service-account-id=<service_account_ID> \ --access-binding role=<role3>,service-account-id=<service_account_ID> -