# Configuring GPU cluster access permissions


To grant a user, group, or [service account](../../../iam/concepts/users/service-accounts.md) access to a [GPU cluster](../../concepts/gpus.md), assign a [role](../../../iam/concepts/access-control/roles.md) for it.

## Assigning a role {#add-access}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder containing the GPU cluster.
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, click ![image](../../../_assets/horizontal-ellipsis.svg) and select **GPU clusters**.
  1. Select the GPU cluster you need.
  1. Navigate to the ![image](../../../_assets/console-icons/persons.svg) **Access bindings** tab.
  1. Click **Assign roles**.
  1. In the window that opens, select the group, user, or service account you want to grant access to the GPU cluster.
  1. Click ![image](../../../_assets/console-icons/plus.svg) **Add role** and select the required [role](../../security/index.md#roles-list).
  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for assigning a role for a GPU cluster:

     ```bash
     yc compute gpu-cluster add-access-binding --help
     ```

  1. Get a list of GPU clusters in the default [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder):

     ```bash
     yc compute gpu-cluster list
     ```

  1. View the roles already assigned for the resource:

     ```bash
     yc compute gpu-cluster list-access-bindings <GPU_cluster_ID>
     ```

  1. Assign a role using this command:

     * To a user:

       ```bash
       yc compute gpu-cluster add-access-binding <GPU_cluster_ID> \
         --user-account-id <user_ID> \
         --role <role>
       ```

       Where:

       * `--user-account-id`: [User ID](../../../organization/operations/users-get.md). Use the `--all-authenticated-users` flag to assign a role to all authenticated users.
       * `--role`: [Role](../../security/index.md#roles-list).

     * To a service account:

       ```bash
       yc compute gpu-cluster add-access-binding <GPU_cluster_ID> \
         --service-account-id <service_account_ID> \
         --role <role>
       ```

       Where:

       * `--service-account-id`: [Service account ID](../../../iam/operations/sa/get-id.md).
       * `--role`: [Role](../../security/index.md#roles-list).

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  To assign a role for access to a GPU cluster using Terraform:

  1. In the Terraform configuration file, describe the resources you want to create:

      ```hcl
      resource "yandex_compute_gpu_cluster_iam_binding" "sa-access" {
        gpu_cluster_id = "<GPU_cluster_ID>"
        role           = "<role>"
        members        = ["<subject_type>:<subject_ID>"]
      }
      ```

      Where:

      * `gpu_cluster_id`: GPU cluster ID.
      * `role`: [Role](../../security/index.md#roles-list).
      * `members`: List of types and IDs of [subjects](../../../iam/concepts/access-control/index.md#subject) getting the role. Use this format: `userAccount:<user_ID>` or `serviceAccount:<service_account_ID>`.

      For more information about `yandex_compute_gpu_cluster_iam_binding` properties, see [this provider guide](../../../terraform/resources/compute_gpu_cluster_iam_binding.md).

  1. Apply the changes:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

      Terraform will create all the required resources. You can check the updates using the [management console](https://console.yandex.cloud) or this [CLI](../../../cli/index.md) command:

       ```bash
       yc compute gpu-cluster list-access-bindings <GPU_cluster_ID>
       ```


- API {#api}

  To assign a role, use the [updateAccessBindings](../../api-ref/GpuCluster/updateAccessBindings.md) REST API method for the [GpuCluster](../../api-ref/GpuCluster/index.md) resource or the [GpuClusterService/UpdateAccessBindings](../../api-ref/grpc/GpuCluster/updateAccessBindings.md) gRPC API call. In the request body, set the `action` property to `ADD` and specify the user type and ID under `subject`.

{% endlist %}

## Assigning multiple roles {#set-access}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder containing the GPU cluster.
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, click ![image](../../../_assets/horizontal-ellipsis.svg) and select **GPU clusters**.
  1. Select the GPU cluster you need.
  1. Navigate to the ![image](../../../_assets/console-icons/persons.svg) **Access bindings** tab.
  1. Click **Assign roles**.
  1. In the window that opens, select the group, user, or service account you want to grant access to the GPU cluster.
  1. Click ![image](../../../_assets/console-icons/plus.svg) **Add role** and select the required [role](../../security/index.md#roles-list).
  1. To add another role, click ![image](../../../_assets/console-icons/plus.svg) **Add role**.
  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  You can assign multiple roles using the `set-access-bindings` command.

  {% note alert %}
  
  The `set-access-bindings` command completely rewrites access permissions for the resource. All current roles for the resource will be deleted.
  
  {% endnote %}

  1. Make sure the resource has no roles assigned that you would not want to lose:

     ```bash
     yc compute gpu-cluster list-access-bindings <GPU_cluster_ID>
     ```

  1. See the description of the CLI command for assigning roles for a GPU cluster:

     ```bash
     yc compute gpu-cluster set-access-bindings --help
     ```

  1. Assign the roles:

     ```bash
     yc compute gpu-cluster set-access-bindings <GPU_cluster_ID> \
       --access-binding role=<role>,subject=<subject_type>:<subject_ID> \
       --access-binding role=<role>,subject=<subject_type>:<subject_ID>
     ```

     Where:

     * `--access-binding`: Parameters for setting access permissions:

       * `role`: [Role](../../security/index.md#roles-list).
       * `subject`: Type and ID of the [subject](../../../iam/concepts/access-control/index.md#subject) the role is assigned to.

     For example, this command will assign roles to multiple users and a single service account:

     ```bash
     yc compute gpu-cluster set-access-bindings my-gpu-cluster \
       --access-binding role=editor,subject=userAccount:gfei8n54hmfh********
       --access-binding role=viewer,subject=userAccount:helj89sfj80a********
       --access-binding role=editor,subject=serviceAccount:ajel6l0jcb9s********
     ```

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  To assign multiple roles for a file storage using Terraform:

  1. In the Terraform configuration file, describe the resources you want to create:

      ```hcl
      resource "yandex_compute_gpu_cluster_iam_binding" "role1" {
        gpu_cluster_id = "<GPU_cluster_ID>"
        role           = "<role_1>"
        members        = ["<subject_type>:<subject_ID>"]
      }
      
      resource "yandex_compute_gpu_cluster_iam_binding" "role2" {
        gpu_cluster_id = "<GPU_cluster_ID>"
        role           = "<role_2>"
        members        = ["<subject_type>:<subject_ID>"]
      }
      ```

      Where:

      * `gpu_cluster_id`: GPU cluster ID.
      * `role`: [Role](../../security/index.md#roles-list).
      * `members`: List of types and IDs of [subjects](../../../iam/concepts/access-control/index.md#subject) getting the role. Use this format: `userAccount:<user_ID>` or `serviceAccount:<service_account_ID>`.

      For more information about `yandex_compute_gpu_cluster_iam_binding` properties, see [this provider guide](../../../terraform/resources/compute_gpu_cluster_iam_binding.md).

  1. Apply the changes:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

      Terraform will create all the required resources. You can check the updates using the [management console](https://console.yandex.cloud) or this [CLI](../../../cli/index.md) command:

       ```bash
       yc compute gpu-cluster list-access-bindings <GPU_cluster_ID>
       ```


- API {#api}

  To assign roles for a GPU cluster, use the [setAccessBindings](../../api-ref/GpuCluster/setAccessBindings.md) REST API method for the [GpuCluster](../../api-ref/GpuCluster/index.md) resource or the [GpuClusterService/SetAccessBindings](../../api-ref/grpc/GpuCluster/setAccessBindings.md) gRPC API call.

  {% note alert %}

  The `setAccessBindings` method and the `GpuClusterService/SetAccessBindings` call overwrite all existing access permissions for the resource. All current roles for the resource will be deleted.

  {% endnote %}

{% endlist %}

## Revoking a role {#revoke-role}

{% list tabs group=instructions %}

- Management console {#console}

  1. In the [management console](https://console.yandex.cloud), select the folder containing the GPU cluster.
  1. Navigate to **Compute Cloud**.
  1. In the left-hand panel, click ![image](../../../_assets/horizontal-ellipsis.svg) and select **GPU clusters**.
  1. Select the GPU cluster you need.
  1. Navigate to the ![image](../../../_assets/console-icons/persons.svg) **Access bindings** tab.
  1. In the line with the user in question, click ![image](../../../_assets/horizontal-ellipsis.svg) and select **Edit roles**.
  1. Next to the role, click ![image](../../../_assets/cross.svg).
  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. See the description of the CLI command for revoking a role for a GPU cluster:

     ```bash
     yc compute gpu-cluster remove-access-binding --help
     ```

  1. View the list of users and their roles for the resource:

     ```bash
     yc compute gpu-cluster list-access-bindings <GPU_cluster_ID>
     ```

  1. To revoke access permissions, run this command:

     ```bash
     yc compute gpu-cluster remove-access-binding <GPU_cluster_ID> \
       --role=<role> \
       --subject=<subject_type>:<subject_ID> \
     ```

     Where:

     * `--role`: ID of the role you need to revoke.
     * `--subject`: Type and ID of the [subject](../../../iam/concepts/access-control/index.md#subject) you want to revoke the role from.

     For example, this command revokes the `viewer` role for the GPU cluster from a user with the `ajel6l0jcb9s********` ID:

     ```bash
     yc compute gpu-cluster remove-access-binding my-gpu-cluster \
       --role viewer \
       --subject userAccount:ajel6l0jcb9s********
     ```

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the relevant documentation on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  To revoke a role assigned for a GPU cluster using Terraform:

  1. Open the Terraform configuration file and delete the fragment describing the role:

      ```hcl
      resource "yandex_compute_gpu_cluster_iam_binding" "sa-access" {
        gpu_cluster_id = "<GPU_cluster_ID>"
        role           = "<role>"
        members        = ["<subject_type>:<subject_ID>"]
      }
      ```

  1. Apply the changes:

      1. In the terminal, navigate to the configuration file directory.
      1. Make sure the configuration is correct using this command:
      
         ```bash
         terraform validate
         ```
      
         If the configuration is valid, you will get this message:
      
         ```bash
         Success! The configuration is valid.
         ```
      
      1. Run this command:
      
         ```bash
         terraform plan
         ```
      
         You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
      1. Apply the configuration changes:
      
         ```bash
         terraform apply
         ```
      
      1. Type `yes` and press **Enter** to confirm the changes.

      You can check the updates using the [management console](https://console.yandex.cloud) or this [CLI](../../../cli/index.md) command:

       ```bash
       yc compute gpu-cluster list-access-bindings <GPU_cluster_ID>
       ```

- API {#api}

  To revoke a role, use the [updateAccessBindings](../../api-ref/GpuCluster/updateAccessBindings.md) REST API method for the [GpuCluster](../../api-ref/GpuCluster/index.md) resource or the [GpuClusterService/UpdateAccessBindings](../../api-ref/grpc/GpuCluster/updateAccessBindings.md) gRPC API call. In the request body, set the `action` property to `REMOVE` and specify the user type and ID under `subject`.

{% endlist %}