Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Managing access with Yandex Identity and Access Management

Written by
Updated at November 5, 2025

Object Storage incorporates several access management mechanisms. To learn how these mechanisms interact, see Access management methods in Object Storage: Overview.

In this section, you will learn:

Access management

Yandex Identity and Access Management checks all operations in Yandex Cloud. If an entity does not have required permissions, IAM returns an error.

To grant permissions for a resource, assign the relevant resource roles to an entity performing operations. You can assign roles to a Yandex account, service account, local user, federated user, user group, system group, or public group. For more information, see How access management works in Yandex Cloud.

Roles for a resource can be assigned by users who have the storage.admin role or one of the following roles for that resource:

  • admin
  • resource-manager.admin
  • organization-manager.admin
  • resource-manager.clouds.owner
  • organization-manager.organizations.owner

Which resources you can assign a role for

You can use the management console, Yandex Cloud CLI, API or Terraform to assign a role for an organization, cloud, folder, or individual bucket. These assigned roles will also apply to nested resources.

To learn how to manage access to buckets and objects in them, see Access control list (ACL).

Which roles exist in the service

The chart below shows service’s roles and their permission inheritance. For example, editor inherits all viewer permissions. You can find role descriptions below the chart.

Service roles

storage.viewer

The storage.viewer role allows you to read data in buckets, view info on buckets and objects inside them, as well as info on the Object Storage folder and quotas.

Users with this role can:

storage.configViewer

The storage.configViewer role allows you to view the settings info of buckets and objects inside them but not the data inside the bucket.

Users with this role can:

storage.configurer

The storage.configurer role allows you to manage object lifecycle, static website hosting, access policy, and CORS settings. It does not allow you to manage access control list (ACL) or public access settings, nor does it provide access to bucket data.

Users with this role can:
  • View bucket access policy info, create, modify, and delete bucket access policies.
  • View bucket CORS configuration info and modify the CORS configuration.
  • View bucket static website hosting configuration info and modify the static website hosting configuration.
  • View bucket access protocol info and change the access protocol.
  • View bucket action logging settings and change the logging settings.
  • View bucket encryption settings and change the encryption settings.
  • View bucket region info.
  • View object lifecycle configuration info and change the lifecycle configuration.
  • View bucket versioning settings.
  • View folder info.

storage.uploader

The storage.uploader role allows you to upload objects into buckets with or without overwriting the previously uploaded ones, read data in buckets, view info on buckets and objects inside them, as well as info on the Object Storage folder and quotas. The role does not allow you to delete objects or configure buckets.

Users with this role can:
  • View the list of buckets.
  • View the lists of objects in buckets, object info and content.
  • Upload objects into a bucket.
  • View info on access permissions assigned for buckets and objects inside them.
  • View bucket CORS configuration info.
  • View bucket static website hosting configuration info.
  • View bucket access protocol info.
  • View bucket action logging settings.
  • View bucket versioning settings.
  • View bucket encryption settings.
  • View bucket default storage class info.
  • View bucket labels.
  • View bucket region info.
  • View object lifecycle configuration info.
  • View lists of object versions and version info.
  • View info on object version locks and set up such locks.
  • View object and object version labels, modify such labels.
  • View info on current multipart uploads of objects and their parts, delete partially uploaded objects.
  • View cloud, folder, and Object Storage statistics.
  • View info on Object Storage quotas.
  • View folder info.

This role includes the storage.viewer permissions.

storage.editor

The storage.editor role allows any operations with buckets and objects: creating, deleting, and editing them. The role does not allow managing access control list (ACL) settings and creating public buckets.

Users with this role can:
  • View the list of buckets, create and delete buckets.
  • View the lists of objects in buckets, object info and content.
  • View info on access permissions assigned for buckets and objects inside them.
  • Upload objects into a bucket, delete objects and object versions.
  • View bucket CORS configuration info and modify the CORS configuration.
  • View bucket static website hosting configuration info and modify the static website hosting configuration.
  • View bucket access protocol info and change the access protocol.
  • View bucket action logging settings and change the logging settings.
  • View bucket versioning settings.
  • View bucket encryption settings and change the encryption settings.
  • View bucket default storage class info, change the default storage class.
  • View and modify bucket labels.
  • View bucket region info.
  • View object lifecycle configuration info and change the lifecycle configuration.
  • View lists of object versions and version info.
  • Restore object versions in versioning-enabled buckets.
  • View info on object version locks and set up such locks.
  • View object and object version labels, modify and delete such labels.
  • View info on current multipart uploads of objects and their parts, delete partially uploaded objects.
  • View cloud, folder, and Object Storage statistics.
  • View info on Object Storage quotas.
  • View folder info.

This role includes the storage.uploader permissions.

storage.admin

The storage.admin role allows you to manage Object Storage.

Users with this role can:
  • View the list of buckets.
  • Create buckets, including public ones, and delete buckets.
  • View the lists of objects in buckets, object info and content.
  • View info on access permissions assigned for buckets and objects inside them, modify access permissions for buckets and objects.
  • View bucket access policy info, create, modify, and delete bucket access policies.
  • Assign an access control list (ACL).
  • Set up access to a bucket via a service connection from a Virtual Private Cloud.
  • Upload objects into a bucket, delete objects and object versions.
  • View bucket CORS configuration info and modify the CORS configuration.
  • View bucket static website hosting configuration info and modify the static website hosting configuration.
  • View bucket access protocol info and change the access protocol.
  • View bucket action logging settings and change the logging settings.
  • View bucket versioning settings and change the versioning settings.
  • View bucket encryption settings and change the encryption settings.
  • View bucket default storage class info, change the default storage class.
  • View and modify bucket labels.
  • View bucket region info.
  • View object lifecycle configuration info and change the lifecycle configuration.
  • View lists of object versions and version info.
  • Restore object versions in versioning-enabled buckets.
  • View info on object version locks and set up such locks.
  • Bypass governance-mode retention.
  • View object and object version labels, modify and delete such labels.
  • View info on current multipart uploads of objects and their parts, delete partially uploaded objects.
  • View cloud, folder, and Object Storage statistics.
  • View info on Object Storage quotas.
  • View folder info.

This role includes the storage.editor, storage.configViewer, and storage.configurer permissions.

Primitive roles

Primitive roles allow users to perform actions in all Yandex Cloud services.

auditor

The auditor role grants a permission to read configuration and metadata of any Yandex Cloud resources without any access to data.

For instance, users with this role can:

  • View info on a resource.
  • View the resource metadata.
  • View the list of operations with a resource.

auditor is the most secure role that does not grant any access to the service data. This role suits the users who need minimum access to the Yandex Cloud resources.

viewer

The viewer role grants the permissions to read the info on any Yandex Cloud resources.

This role includes the auditor permissions.

Unlike auditor, the viewer role provides access to service data in read mode.

editor

The editor role provides permissions to manage any Yandex Cloud resources, except for assigning roles to other users, transferring organization ownership, removing an organization, and deleting Key Management Service encryption keys.

For instance, users with this role can create, modify, and delete resources.

This role includes the viewer permissions.

admin

The admin role enables assigning any roles, except for resource-manager.clouds.owner and organization-manager.organizations.owner, and provides permissions to manage any Yandex Cloud resources (except for transferring organization ownership and removing an organization).

Prior to assigning the admin role for an organization, cloud, or billing account, make sure to check out the information on protecting privileged accounts.

This role includes the editor permissions.

Instead of primitive roles, we recommend using service roles with more granular access control, allowing you to implement the least privilege principle.

For more information about primitive roles, see the Yandex Cloud role reference.

See also

Previous
Overview
Next
Access control list (ACL)