Getting started with Yandex Identity Hub
An organization is the highest resource in the Yandex Cloud resource model hierarchy that consolidates the resources of all other services. Organizations are also used to manage users and their authentication and authorization settings.
When working with Yandex Cloud services, you create resources, such as managed database clusters, virtual machines, disks, networks, etc. Most services store their resources in folders. Folders belong to clouds, and clouds belong to organizations. A cloud may only belong to one organization, but you can move clouds between organizations. Yandex Resource Manager is a service that manages clouds and folders; Identity Hub manages organizations. Access to Yandex Cloud resources is managed via roles.
Yandex Cloud organization structure:
Getting started
- Go to the management console
and log in to Yandex Cloud or sign up if not signed up yet. - Accept the user agreement.
- In Yandex Cloud Billing
, make sure you have a billing account linked and its status isACTIVE
orTRIAL_ACTIVE
. If you do not have a billing account yet, create one.
Create an organization
-
Go to Yandex Identity Hub
. -
Read the Yandex Cloud terms of use and click Log in.
-
Enter your company name and description.
-
Click Create a new organization.
After registering, you will become the organization owner. You will be able to manage employee accounts, connect and disconnect services.
Manage users
Add a user to your organization
You can connect your employees using their Yandex accounts for access to the corporate services. If your company already uses a different account management system (such as Active Directory or Google Workspace), you can create an identity federation so that your employees can use their corporate accounts to access Yandex Cloud services.
To connect employees with Yandex accounts:
-
Go to Yandex Identity Hub
. -
In the left-hand panel, select
Users. -
In the top-right corner of the screen, click
Add user and select Invite users with a Yandex account from the drop-down list. -
Enter the email addresses of the users you want to invite to the organization (e.g.,
login@yandex.ru
).You can send invitations to any email address. Invited users will be able to select the appropriate Yandex account once they accept the invitation.
-
Click Send invitation.
The user will be connected to the organization as soon as they accept the invitation via the emailed link and select the appropriate account to log in. After that, you will be able to assign them the required roles.
For more information about users, see Organization membership.
Create a user group
You can configure access for multiple users at once by adding them to a group and assigning a role to this group. You can grant access to any Yandex Cloud resources to the group.
To create a user group:
-
Log in to Yandex Identity Hub
. -
In the left-hand panel, select
Groups. -
In the top-right corner of the page, click
Create group. -
Enter a name and description for the group.
The name must be unique within the organization and satisfy the relevant requirements:
- It must be from 1 to 63 characters long.
- It may contain lowercase Latin letters, numbers, and hyphens.
- It must start with a letter and cannot end with a hyphen.
-
Click Create group.
Add the user to the group
-
Log in to Yandex Identity Hub
. -
In the left-hand panel, select
Groups and click the row with the name of the group you need. -
Navigate to the Members tab.
-
Click Add member.
-
In the window that opens, select the users or service accounts. You may want to use the search feature.
-
Click Save.
Manage access
Assign a role to a user
To grant access to a resource, assign a role for the resource to the user. You can assign roles for an organization, cloud, or folder. The roles assigned to organizations, clouds, and folders also apply to their nested resources.
You can also assign roles to users to manage individual Yandex Cloud services using Yandex Identity and Access Management.
To assign a role to a user:
-
Log in to Yandex Identity Hub
with an administrator or organization owner account. -
In the left-hand panel, select
Access bindings. -
If the user already has at least one role, click
and select Assign bindings in the row with this user.If the user is not on the list, click Assign bindings in the top-right corner. In the window that opens, select a user from the list or use the search bar.
-
Click
Add role and select the role you want to assign to the user. You can assign multiple roles.You can find the description of the available roles in the Yandex Identity and Access Management documentation in the Yandex Cloud role reference.
-
Click Save.
Assign a role for a cloud or folder to a user group
-
Log in to the management console
with the cloud administrator or owner account. -
On the left side of the screen, click the line with the name of the cloud or folder for which you want to assign a role to a user group.
-
At the top of the screen, go to the Access bindings tab and click Configure access. In the window that opens:
-
Go to the Groups tab and select the group you need or search by group name.
You can also assign a role to one of the system groups:
All users in organization X
: The group includes all users in organizationX
.All users in federation N
: The group includes all users in federationN
.
-
Click
Add role and select the role you want to assign to the group for the cloud or folder you selected earlier. You can assign multiple roles. -
Click Save.
-
Assign a role for an organization to a user group
-
Log in to Yandex Identity Hub
using an administrator or organization owner account. -
In the left-hand panel, select
Access bindings. -
At the top right, click Assign bindings.
-
Go to the Groups tab and select the group you need or search by group name.
You can also assign a role to one of the system groups:
All users in organization X
: The group includes all users in organizationX
.All users in federation N
: The group includes all users in federationN
.
-
Click
Add role and select the role for the organization you want to assign to the group. You can assign multiple roles. -
Click Save.
Additional features
Create an identity federation
If your company has a user and access management system (e.g., Active Directory or Google Workspace), you can use it to authenticate employees in Yandex Identity Hub. This way, employees will access Yandex Cloud services using their corporate accounts.
For more information, see Identity federation.
Enable access via OS Login
With OS Login, you can manage SSH access to VMs by relying solely on the Yandex Identity and Access Management mechanisms. There is no need to upload SSH keys to each new VM when creating it. You can use OS Login to access both Yandex Compute Cloud VM instances and individual nodes in node groups within Yandex Managed Service for Kubernetes clusters.
OS Login benefits:
- Instant update of user access permissions within a VM when revoking or assigning roles. If you revoke the roles, the user will lose access to all VMs with OS Login access enabled.
- Multiple available options to access VMs: you can use both short-lived SSH certificates and SSH keys including those added to the organization user profile.
For more information, see OS Login.