yc iam
Статья создана
Обновлена 7 ноября 2025 г.
Manage Yandex Identity and Access Manager resources
Command Usage
Syntax:
yc iam <group|command>
Command Tree
- yc iam create-id-token — Create ID token and print to STDOUT
- yc iam create-token — Create IAM token and print to STDOUT
- yc iam revoke-token — Revoke IAM token
- yc iam whoami — Print currently authenticated subject to STDOUT
- yc iam access-analyzer — Manage access analyzer
- yc iam access-analyzer list-subject-access-bindings — List access bindings for the specified subject
- yc iam access-key — Manage service account access keys
- yc iam access-key create — Create an access key for the specified service account
- yc iam access-key delete — Delete the specified access key
- yc iam access-key get — Show information about the specified access key
- yc iam access-key list — List access keys for the specified service account
- yc iam access-policy-template — Manage access policy templates
- yc iam access-policy-template list — List available access policy templates
- yc iam api-key — Manage service account API keys
- yc iam api-key create — Create an API key for the specified service account
- yc iam api-key delete — Delete the specified API key
- yc iam api-key get — Show information about the specified API key
- yc iam api-key list — List API keys for the specified service account
- yc iam api-key list-scopes — List of scopes
- yc iam api-key update — Update an API key for the specified service account
- yc iam key — Manage IAM keys
- yc iam key create — Create an IAM key for for authenticated account or the specified service account
- yc iam key delete — Delete the specified IAM key
- yc iam key get — Show information about the specified IAM key
- yc iam key list — List IAM keys for authenticated account or the specified service account
- yc iam oauth-client — Manage oauth-clients
- yc iam oauth-client create — Create an oauth-client in the specified folder
- yc iam oauth-client delete — Delete the specified oauth-client
- yc iam oauth-client get — Show information about state of a specified oauth-client
- yc iam oauth-client list — List oauth-clients in the specified folder
- yc iam oauth-client update — Update the specified oauth-client
- yc iam oauth-client-secret — Manage oauth-client secrets
- yc iam oauth-client-secret create — Create a secret for the specified oauth-client
- yc iam oauth-client-secret delete — Delete the specified oauth-client secret
- yc iam oauth-client-secret get — Show information about state of a specified oauth-client secret
- yc iam oauth-client-secret list — List secrets of the specified oauth-client
- yc iam refresh-token — Manage refresh tokens
- yc iam refresh-token list — List subjects Refresh Tokens
- yc iam refresh-token revoke — Revoke subjects Refresh Tokens. Refresh Tokens can be revoked by refresh token, refresh token id, or a group of subject id, client id and client instance info. If none of the flags are set, all Refresh Tokens for the authenticated user will be revoked.
- yc iam role — Manage roles
- yc iam role get — Show information about the specified role
- yc iam role list — List roles
- yc iam service-account — Manage service accounts
- yc iam service-account add-access-binding — Add access binding to ACCESS the specified service account as a resource. To configure service account access to a resource use add-access-binding command for the corresponding resource
- yc iam service-account add-labels — Add labels to specified service account
- yc iam service-account create — Create a service account
- yc iam service-account delete — Delete the specified service account
- yc iam service-account get — Show information about the specified service account
- yc iam service-account list — List service accounts
- yc iam service-account list-access-bindings — List access bindings for ACCESSING the specified service account. To determine if a service account has an access to a resource, use list-access-bindings command for the corresponding resource
- yc iam service-account list-operations — List operations for the specified service account
- yc iam service-account remove-access-binding — Remove access binding for ACCESSING the specified service account as a resource. To configure service account access to a resource use remove-access-binding command for the corresponding resource
- yc iam service-account remove-labels — Remove labels from specified service account
- yc iam service-account set-access-bindings — Set access bindings for ACCESSING the specified service account and DELETE all existing access bindings for all accounts if there were any. To configure service account access to a resource use set-access-bindings command for the corresponding resource
- yc iam service-account update — Update the specified service account
- yc iam service-control — Manage service access to cloud
- yc iam service-control disable — Disable service access to cloud
- yc iam service-control enable — Enable service access to cloud
- yc iam service-control get — Show information about state of specified service
- yc iam service-control list — List service states
- yc iam user-account — Manage user accounts
- yc iam user-account get — Show information about the specified user account
- yc iam workload-identity — Manage workload identity
Global Flags
| Flag | Description |
|---|---|
--profile |
stringSet the custom configuration file. |
--debug |
Debug logging. |
--debug-grpc |
Debug gRPC logging. Very verbose, used for debugging connection problems. |
--no-user-output |
Disable printing user intended output to stderr. |
--retry |
intEnable gRPC retries. By default, retries are enabled with maximum 5 attempts. Pass 0 to disable retries. Pass any negative value for infinite retries. Even infinite retries are capped with 2 minutes timeout. |
--cloud-id |
stringSet the ID of the cloud to use. |
--folder-id |
stringSet the ID of the folder to use. |
--folder-name |
stringSet the name of the folder to use (will be resolved to id). |
--endpoint |
stringSet the Cloud API endpoint (host:port). |
--token |
stringSet the OAuth token to use. |
--impersonate-service-account-id |
stringSet the ID of the service account to impersonate. |
--no-browser |
Disable opening browser for authentication. |
--format |
stringSet the output format: text (default), yaml, json, json-rest. |
--jq |
stringQuery to select values from the response using jq syntax |
-h,--help |
Display help for the command. |