Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Deleting a Yandex account from an organization

Written by
Updated at March 31, 2025

This guide describes how to delete a privileged Yandex account with the organization-manager.organizations.owner role from an organization.

This may be necessary if you require full control of a privileged account's authentication. In this case, a privileged account is an account that has full privileges to an organization and all organization's resources.

You can delete a privileged account if you have previously granted the organization-manager.organizations.owner role to a federated account. However, this creates the risk of it becoming impossible to manage the organization with the help of any of the federated accounts should the federation fail (on the cloud or client side).

The guide covers actions for mitigation of risks related to federation failure.

Primary actions

  1. Create a federation.

  2. Verify federation functionality by logging in as a federated user.

  3. Assign the organization-manager.organizations.owner role to a federated user:

    yc organization-manager organization add-access-binding \
    --id= <organization_ID> \
    --subject= federatedUser:<federated_account_ID> \
    --role=organization-manager.organizations.owner

  4. Create a service cloud called security.

  5. Assign the admin role for the security cloud to security officers to enable them to recover access to the cloud if the federation fails.

  6. Create a service account in the security cloud as a way to recover access to the organization in an emergency.

    If you are using an existing service account, make sure it does not have static or API keys.

    yc iam api-key list --service-account-id=<service_account_ID> 
yc iam access-key list --service-account-id=<service_account_ID>

    Warning

    A security officer can upgrade their role up to organization-manager.organizations.owner by being in control of the service account this role is assigned to. Make sure that only security officers have administrator access to the security cloud and the service account by running the command below:

    yc iam service-account list-access-bindings --id <service_account_ID>

    Remember that a service account can be controlled by any user with the admin role for the folder, cloud, or organization hosting that service account. Thus, after gaining control of the service account, users will be able to perform any actions in the organization, including granting themselves various roles up to that of organization-manager.organizations.owner. Make sure that only trusted users have the admin role for the service account as well as for the folder, cloud, and organization hosting this account.

  7. Assign the organization-manager.organizations.owner role to the service account:

    yc organization-manager organization add-access-binding \
    --id= <organization_ID> \
    --service-account-id=<service_account_ID> \
    --role=organization-manager.organizations.owner

  8. Create an authorized key for the service account.

  9. Save the key file in trusted storage.

  10. Delete the organization-manager.organizations.owner role for the Yandex account using the console or the command-line interface:

    yc organization-manager organization remove-access-binding \
    --id=<organization_ID> \
    --user-account-id=<Yandex_account_ID> \
    --role=organization-manager.organizations.owner

Additional measures

Configure Audit Trails to manage the service and the federated accounts with the organization-manager.organizations.owner role:

  1. Configure the collection of audit logs at the organization level in Yandex Audit Trails.

  2. Make sure you track at least the following events (in Object Storage, log group, Managed ELK, and your SIEM):

    • Creating service account keys (events: yandex.cloud.audit.iam.CreateAccessKey, yandex.cloud.audit.iam.CreateKey, yandex.cloud.audit.iam.CreateApiKey, and authentication.subject_id = <service account ID>).
    • Assigning access permissions to the service account (event: UpdateServiceAccountAccessBindings and details.service_account_id = <service_account_ID>).
    • Any action using the organization-manager.organizations.owner permissions (.authentication.subject_id == <ID_of_user_with_these_permissions>).

You can use Managed ELK to analyze and respond to events in Audit Trails.

Response to federation failure

  1. Access the authorized key saved in trusted storage.

  2. Authenticate as a service account.

  3. Next:

    • Either assign the organization-manager.organizations.owner role to the Yandex account and use this account to restore the federation.
    • Or restore the federation from the command-line interface (CLI).

  4. Verify access as a federated user.

Actions following federation recovery

  1. If the Yandex account got the organization-manager.organizations.owner role, revoke this role.
  2. Create a new authorized key for the service account and save it to trusted storage.
Previous
Transferring Managed Service for Kubernetes cluster logs to Cloud Logging
Next
If you are being attacked from Yandex Cloud addresses