Managing folder access policies
Note
This feature is in the Preview stage. To get access, contact tech support or your account manager.
Access policies are a Yandex Identity and Access Management mechanism that allows you to manage permissions for specific operations with Yandex Cloud resources. Access policies are based on templates and complement the role system for more flexible access management.
A folder’s access policies can be managed by users with the resource-manager.admin or admin role for the folder.
Creating an access policy for a folder
To create a folder access policy from a template without additional parameters:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
-
Get a list of supported access policy templates with their IDs.
-
Run this command:
yc resource-manager folder bind-access-policy \ --name <folder_name> \ --access-policy-template-id=<policy_template_ID>Where:
--name: Name of the folder to create the policy for. Instead of the folder name, you can provide its ID in the--idparameter.--access-policy-template-id: ID of the template to use as the basis for the new access policy for the folder.
-
Make sure the policy was created.
Use the bindAccessPolicy REST API method for the Folder resource or the FolderService/BindAccessPolicy gRPC API call.
The created access policy will apply to all resources in the specified folder.
Viewing the list of your folder’s access policies
To view a list of access policies created for a folder:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
Run this command by specifying the name or ID of the folder for which you want to view the new policies:
yc resource-manager folder list-access-policy-bindings <folder_name_or_ID>
Result:
+---------------------------------------+
| ACCESS POLICY TEMPLATE ID |
+---------------------------------------+
| iam.denyServiceAccountApiKeysCreation |
+---------------------------------------+
Use the listAccessPolicyBindings REST API method for the Folder resource or the FolderService/ListAccessPolicyBindings gRPC API call.
Deleting an access policy created for a folder
To delete an access policy created for a folder:
If you do not have the Yandex Cloud CLI yet, install and initialize it.
-
Get a list of IDs of access policy templates assigned for the folder.
-
Run this command:
yc resource-manager folder unbind-access-policy \ --name <folder_name> \ --access-policy-template-id=<policy_template_ID>Where:
--name: Name of the folder that you want to delete the policy for. Instead of the folder name, you can provide its ID in the--idparameter.--access-policy-template-id: ID of the access policy template you want to delete for the specified folder.
-
Make sure the policy was deleted.
Use the unbindAccessPolicy REST API method for the Folder resource or the FolderService/UnbindAccessPolicy gRPC API call.
The specified access policy will no longer apply to resources in the specified folder.