Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Managing cloud access policies

Written by
Updated at April 3, 2026

Note

This feature is in the Preview stage. To get access, contact tech support or your account manager.

Access policies are a Yandex Identity and Access Management mechanism that allows you to manage permissions for specific operations with Yandex Cloud resources. Access policies are based on templates and complement the role system for more flexible access management.

The cloud access policies can be managed by users with the resource-manager.admin or admin role for the cloud.

Creating an access policy for a cloud

To create an access policy for a cloud based on a template without additional parameters:

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. Get a list of supported access policy templates with their IDs.

  2. Run this command:

    yc resource-manager cloud bind-access-policy \
  --name <cloud_name> \
  --access-policy-template-id=<policy_template_ID>

    Where:

    • --name: Name of the cloud to create the policy for. Instead of the cloud name, you can provide its ID in the --id parameter.
    • --access-policy-template-id: ID of the template to use as the basis for the new access policy for the cloud.

  3. Make sure the policy was created.

Use the bindAccessPolicy REST API method for the Cloud resource or the CloudService/BindAccessPolicy gRPC API call.

The new access policy will apply to resources within all folders in the specified cloud.

Viewing the list of your cloud's access policies

To view the list of cloud access policies:

If you do not have the Yandex Cloud CLI yet, install and initialize it.

Run the command, specifying the name or ID of the cloud for which you want to view the created policies:

yc resource-manager cloud list-access-policy-bindings <cloud_name_or_ID>

Result:

+---------------------------------------+
|      ACCESS POLICY TEMPLATE ID        |
+---------------------------------------+
| iam.denyServiceAccountApiKeysCreation |
+---------------------------------------+

Use the listAccessPolicyBindings REST API method for the Cloud resource or the CloudService/ListAccessPolicyBindings gRPC API call.

Deleting an access policy created for a cloud

To delete an access policy created for a cloud:

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. Get a list of IDs of access policy templates assigned for the cloud.

  2. Run this command:

    yc resource-manager cloud unbind-access-policy \
  --name <cloud_name> \
  --access-policy-template-id=<policy_template_ID>

    Where:

    • --name: Name of the cloud that you want to delete the policy for. Instead of the cloud name, you can provide its ID in the --id parameter.
    • --access-policy-template-id: ID of the access policy template you want to delete from the specified cloud.

  3. Make sure the policy was deleted.

Use the unbindAccessPolicy REST API method for the Cloud resource or the CloudService/UnbindAccessPolicy gRPC API call.

The specified access policy will no longer apply to resources within all folders in the given cloud.

See also

Previous
Canceling cloud deletion
Next
Setting up access rights