Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Setting up access for pool users

Written by
Updated at November 29, 2025

Note

This feature is at the Preview stage.

To grant access to a pool, assign roles to subjects. Learn what roles the service has and assign the required ones.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for assigning roles to pool users:

    yc organization-manager idp userpool set-access-bindings --help

  2. Get the list of user pools and their IDs:

    yc organization-manager idp userpool list --organization-id <organization_ID>

    Where --organization-id is the ID of the organization you need the list of user pools for.

  3. Get the ID of the user, service account, or user group you are assigning roles to.

  4. Using the yc organization-manager idp userpool set-access-bindings command, assign the following roles:

    • To a Yandex account user or local user:

      yc organization-manager idp userpool set-access-bindings \
  --id <pool_ID> \
  --access-binding role=<role>,user-account-id=<user_ID>

    • To a federated user:

      yc organization-manager idp userpool set-access-bindings \
  --id <pool_ID> \
  --access-binding role=<role>,subject=federatedUser:<user_ID>

    • To a service account:

      yc organization-manager idp userpool set-access-bindings \
  --id <pool_ID> \
  --access-binding role=<role>,service-account-id=<service_account_ID>

    • To a user group:

      yc organization-manager idp userpool set-access-bindings \
  --id <pool_ID> \
  --access-binding role=<role>,subject=group:<group_ID>

    • To all authenticated users (the All authenticated users public group):

      yc organization-manager idp userpool set-access-bindings \
  --id <pool_ID> \
  --access-binding role=<role>,all-authenticated-users

    Provide a separate --access-binding parameter for each role. Here is an example:

    yc organization-manager idp userpool set-access-bindings \
  --id <pool_ID> \
  --access-binding role=<role1>,service-account-id=<service_account_ID> \
  --access-binding role=<role2>,service-account-id=<service_account_ID> \
  --access-binding role=<role3>,service-account-id=<service_account_ID>

Use the Userpool.SetAccessBindings REST API method for the Userpool resource or the UserpoolService/SetAccessBindings gRPC API call.

Previous
Getting a list of users in a pool
Next
Deleting a user pool