# Assigning roles to a service account

This section describes how to assign a [role](../../concepts/access-control/roles.md) to a service account for a resource. To learn how to assign a role for a [service account](../../concepts/users/service-accounts.md) as a resource to another user, see [Setting up service account access permissions](set-access-bindings.md).

You can assign roles to a service account for any resources in any cloud if these resources belong to the same organization as the service account. You can also assign roles to a service account for the organization.

## Assigning a role for a resource {#binding-role-resource}

Child resources inherit access permissions from their parent resources. For example, if a service account gets a role for a cloud, it will also get the required permissions for all resources across the cloud's folders.

To assign a role for a resource, you need the `admin` or `service-name.admin` role, where `service-name` is the name of the service to which the resource belongs.

[Learn](../../concepts/access-control/resources-with-access-control.md) which resources you can assign a role for.

To assign a role for a resource:

{% list tabs group=instructions %}

- Management console {#console}

    You assign roles to a service account the same way as to a user account.
    
    To assign a service account a role for a cloud or folder:

    1. In the [management console](https://console.yandex.cloud), click ![image](../../../_assets/console-icons/layout-side-content-left.svg) or ![image](../../../_assets/console-icons/chevron-down.svg) in the top panel and select the cloud or folder.
    1. Navigate to the **Access bindings** tab.
    1. Click **Configure access**.
    1. In the window that opens, select **Service accounts**.
    1. Select the service account from the list or use the search bar.
    1. Click ![image](../../../_assets/console-icons/plus.svg) **Add role** and select the role from the list or use the search bar.
    1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  To assign a service account a role for a cloud or folder, run this command:

  ```bash
  yc resource-manager <resource_category> add-access-binding <resource_name_or_ID> \
    --role <role_ID> \
    --subject serviceAccount:<service_account_ID>
  ```

  Where:

  * `<resource_category>`: `cloud` to assign a role for a cloud or `folder` to assign a role for a folder.
  * `<resource_name_or_ID>`: Name or ID of the resource to assign a role for.
  * `--role`: Role ID, e.g., `viewer`.
  * `--subject serviceAccount`: ID of the service account you are assigning the role to.

  For example, to assign a service account the `viewer` role for the [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder) named `my-folder`:

  1. Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the [Yandex Cloud role reference](../../roles-reference.md).
  
  1. Find out the service account ID by its name:
  
      ```bash
      yc iam service-account get my-robot
      ```
  
      Result:
  
      ```text
      id: aje6o61dvog2********
      folder_id: b1gvmob95yys********
      created_at: "2018-10-15T18:01:25Z"
      name: my-robot
      ```
  
      If you don't know the name of the service account, get a list of service accounts with their IDs:
  
      ```bash
      yc iam service-account list
      ```
  
      Result:
  
      ```bash
      +----------------------+------------------+-----------------+
      |          ID          |       NAME       |   DESCRIPTION   |
      +----------------------+------------------+-----------------+
      | aje6o61dvog2******** | my-robot         | my description  |
      +----------------------+------------------+-----------------+
      ```
  
  1. Assign the `viewer` role to the `my-robot` service account using its ID:
  
      ```bash
      yc resource-manager folder add-access-binding my-folder \
        --role viewer \
        --subject serviceAccount:aje6o61dvog2********
      ```

- Terraform {#tf}

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  1. In the configuration file, describe the resources you want to create:

     Here is an example of the configuration file structure:

     ```
     resource "yandex_resourcemanager_folder_iam_member" "admin-account-iam" {
       folder_id   = "<folder_ID>"
       role        = "<role>"
       member      = "serviceAccount:<service_account_ID>"
     }
     ```

     Where:
     * `folder_id`: [Folder ID](../../../resource-manager/operations/folder/get-id.md). This is a required setting.
     * `role`: Role to assign. You can find the description of the roles in the Yandex Identity and Access Management documentation in the [Yandex Cloud role reference](../../roles-reference.md). This is a required setting.
     * `member`: [ID](get-id.md) of the service account you are assigning the role to. Use this format: `serviceAccount:<service_account_ID>`. This is a required setting.

     For more information about the resources you can create with Terraform, see [this provider guide](../../../terraform/index.md).

  1. Make sure the configuration files are correct.

     1. In the terminal, navigate to the directory where you created your configuration file.
     1. Run a check using the following command:

        ```
        terraform plan
        ```

     If your configuration is correct, the terminal will display a list of the resources to be created and their settings. Otherwise, Terraform will show any detected errors.

  1. Deploy the cloud resources.

     1. If the configuration is correct, run this command:

        ```
        terraform apply
        ```

     1. Confirm creating the resources: type `yes` and press **Enter**.

     This will create all the resources you need in the specified folder. You can check the new resource using the [management console](https://console.yandex.cloud) or this [CLI](../../../cli/quickstart.md) command:

     ```bash
     yc resource-manager folder list-access-bindings <folder_name_or_ID>
     ```

- API {#api}

  To assign the service account a role for a cloud or folder, use the `updateAccessBindings` REST API method for the [Cloud](../../../resource-manager/api-ref/Cloud/index.md) or [Folder](../../../resource-manager/api-ref/Folder/index.md) resource:
  
  1. Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the [Yandex Cloud role reference](../../roles-reference.md).
  1. [Get](../../../resource-manager/operations/folder/get-id.md) the ID of the service accounts folder.
  1. [Get](../iam-token/create.md) an IAM token for authentication in the Yandex Cloud API.
  1. Get a list of folder service accounts to find out their IDs:
  
      ```bash
      export FOLDER_ID=b1gvmob95yys********
      export IAM_TOKEN=CggaATEVAgA...
      curl \
        --header "Authorization: Bearer ${IAM_TOKEN}" \
        "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
      ```
  
      Result:
  
  
      ```json
      {
       "serviceAccounts": [
        {
         "id": "ajebqtreob2d********",
         "folderId": "b1gvmob95yys********",
         "createdAt": "2018-10-18T13:42:40Z",
         "name": "my-robot",
         "description": "my description"
        }
       ]
      }
      ```
  
  1. Create the request body, e.g., in the `body.json` file. Set the `action` property to `ADD` and `roleId` to the appropriate role, such as `editor`, and specify the `serviceAccount` type and service account ID in the `subject` property:
  
      **body.json:**
      ```json
      {
        "accessBindingDeltas": [{
          "action": "ADD",
          "accessBinding": {
            "roleId": "editor",
            "subject": {
              "id": "ajebqtreob2d********",
              "type": "serviceAccount"
            }
          }
        }]
      }
      ```
  1. Assign a role to a service account. For example, for a folder with the `b1gvmob95yys********` ID:
     
     ```bash
     export FOLDER_ID=b1gvmob95yys********
     export IAM_TOKEN=CggaAT********
     curl \
       --request POST \
       --header "Content-Type: application/json" \
       --header "Authorization: Bearer ${IAM_TOKEN}" \
       --data '@body.json' \
       "https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/${FOLDER_ID}:updateAccessBindings"
     ```

{% endlist %}

## Assigning a role for an organization {#binding-role-organization}

Access permissions are inherited from an organization by all resources created in the organization. For example, if a service account gets a role for an organization, it will also get the required permissions for all resources across the organization's clouds.

To grant a service account permissions to access an organization, you need the `organization-manager.admin` role or higher.

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization) using an administrator or organization owner account.

  1. In the left-hand panel, select ![persons-lock](../../../_assets/console-icons/persons-lock.svg) **Access bindings**.

  1. In the **Account type** filter, select `Service accounts`.

  1. If the service account you need already has at least one role assigned, click ![icon-context-menu](../../../_assets/console-icons/ellipsis.svg) in the row with that service account and select **Assign roles**.

      If the service account is not on the list, click **Assign roles** in the top-right corner. In the window that opens, go to **Service accounts** and select the account from the list or use the search bar to locate it.

  1. Click ![plus](../../../_assets/console-icons/plus.svg) **Add role** and select the [role](../../concepts/access-control/roles.md) to assign to the service account. You can assign multiple roles.

      You can find the description of the available roles in the Yandex Identity and Access Management documentation in the [Yandex Cloud role reference](../../roles-reference.md).

  1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  To assign a service account a role for an organization, run this command:

  ```bash
  yc organization-manager organization add-access-binding <organization_name_or_ID> \
    --role <role_ID> \
    --subject serviceAccount:<service_account_ID>
  ```

  Where:
  * `<organization_name_or_ID>`: Technical name or [ID](../../../organization/operations/organization-get-id.md) of the organization.
  * `--role`: Role ID, e.g., `viewer`.
  * `--subject serviceAccount`: ID of the service account you are assigning the role to.

  For example, to assign a service account the `viewer` role for the `MyOrg` organization:

  1. Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the [Yandex Cloud role reference](../../roles-reference.md).

  1. Get a list of available organizations to find out their IDs and technical names:

      ```bash
      yc organization-manager organization list
      ```

      Result:

      ```text
      +---------------------------------+---------------------------------+----------------------+
      |               ID                |              NAME               |        TITLE         |
      +---------------------------------+---------------------------------+----------------------+
      | bpf1smsil5q0********            | hdt5j5uw********                | MyOrg                |
      +---------------------------------+---------------------------------+----------------------+
      ```

      The organization's technical name is in the `NAME` column and its ID, in the `ID` column.

  1. Find out the service account ID by its name:

      ```bash
      yc iam service-account get my-robot
      ```

      Result:

      ```text
      id: aje6o61dvog2********
      folder_id: b1gvmob95yys********
      created_at: "2018-10-15T18:01:25Z"
      name: my-robot
      ```

      If you do not know the name of the service account, get a complete list of service accounts with their IDs:

      ```bash
      yc iam service-account list
      ```

      Result:

      ```bash
      +----------------------+------------------+-----------------+
      |          ID          |       NAME       |   DESCRIPTION   |
      +----------------------+------------------+-----------------+
      | aje6o61dvog2******** | my-robot         | my description  |
      +----------------------+------------------+-----------------+
      ```

  1. Assign the `my-robot` service account the `viewer` role for the organization with the `bpf1smsil5q0********` ID:

      ```bash
      yc organization-manager organization add-access-binding bpf1smsil5q0******** \
        --role viewer \
        --subject serviceAccount:aje6o61dvog2********
      ```

- Terraform {#tf}

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  1. In the configuration file, describe the resources you want to create:

     Here is an example of the configuration file structure:

     ```
     resource "yandex_organizationmanager_organization_iam_binding" "editor" {
       organization_id   = "<organization_ID>"
       role              = "<role>"
       members           = [
                             "serviceAccount:<service_account_ID>",
                           ]
     }
     ```

     Where:
     * `organization_id`: [Organization ID](../../../organization/operations/organization-get-id.md). This is a required setting.
     * `role`: Role to assign. You can find the description of the roles in the Yandex Identity and Access Management documentation in the [Yandex Cloud role reference](../../roles-reference.md). For each role, you can only use one `yandex_organization manager_organization_iam_binding` resource. This is a required setting.
     * `members`: [ID](get-id.md) of the service account you are assigning the role to. Use this format: `serviceAccount:<service_account_ID>`. This is a required setting.

     For more information about the resources you can create with Terraform, see [this provider guide](../../../terraform/index.md).

  1. Make sure the configuration files are correct.
    
     1. In the terminal, navigate to the directory where you created your configuration file.
     1. Run a check using the following command:
 
        ```
        terraform plan
        ```

     If the configuration is described correctly, the terminal will display a list of the assigned roles. Terraform will show any errors in the configuration.
 
  1. Deploy the cloud resources.
  
     1. If the configuration is correct, run this command:

        ```
        terraform apply
        ```

     1. To confirm resource creation, type `yes` and press **Enter**.
	 
     This will create the required resources in the specified organization. You can check the new resource using the [management console](https://console.yandex.cloud) or this [CLI](../../../cli/quickstart.md) command:

     ```bash
     yc organization-manager organization list-access-bindings <organization_name_or_ID>
     ```

- API {#api}

  To assign the service account a role for the organization, use the [updateAccessBindings](../../../organization/api-ref/Organization/updateAccessBindings.md) REST API method for the [Organization](../../../organization/api-ref/Organization/index.md) resource:

  1. Select the role to assign to the service account. You can find the description of the roles in the Yandex Identity and Access Management documentation in the [Yandex Cloud role reference](../../roles-reference.md).
  1. [Get](../../../resource-manager/operations/folder/get-id.md) the ID of the service accounts folder.
  1. [Get](../iam-token/create.md) an IAM token for authentication in the Yandex Cloud API.
  1. Get a list of folder service accounts to find out their IDs:

      ```bash
      export FOLDER_ID=b1gvmob95yys********
      export IAM_TOKEN=CggaATEVAgA...
      curl \
        --header "Authorization: Bearer ${IAM_TOKEN}" \
        "https://iam.api.cloud.yandex.net/iam/v1/serviceAccounts?folderId=${FOLDER_ID}"
      ```

      Result:


      ```json
      {
       "serviceAccounts": [
        {
         "id": "ajebqtreob2d********",
         "folderId": "b1gvmob95yys********",
         "createdAt": "2018-10-18T13:42:40Z",
         "name": "my-robot",
         "description": "my description"
        }
       ]
      }
      ```

  1. Get a list of organizations to find out their IDs:

      ```bash
      export IAM_TOKEN=CggaATEVAgA... 
      curl \
        --header "Authorization: Bearer ${IAM_TOKEN}" \
        --request GET \
        "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations"
      ```

      Result:

      ```text
      {
       "organizations": [
        {
         "id": "bpfaidqca8vd********",
         "createdAt": "2023-04-07T08:11:54.313033Z",
         "name": "xvdq9q22********",
         "title": "MyOrg"
        }
       ]
      }
      ```

  1. Create the request body, e.g., in the `body.json` file. Set the `action` property to `ADD` and `roleId` to the appropriate role, such as `viewer`, and specify the `serviceAccount` type and service account ID in the `subject` property:

      **body.json:**

      ```json
      {
        "accessBindingDeltas": [{
          "action": "ADD",
          "accessBinding": {
            "roleId": "viewer",
            "subject": {
              "id": "ajebqtreob2d********",
              "type": "serviceAccount"
            }
          }
        }]
      }
      ```

  1. Assign a role to a service account. For example, assign it for the organization with the `bpfaidqca8vd********` ID:

      ```bash
      export ORGANIZATION_ID=bpfaidqca8vd********
      export IAM_TOKEN=CggaATEVAgA...
      curl \
        --header "Content-Type: application/json" \
        --header "Authorization: Bearer ${IAM_TOKEN}" \
        --data '@body.json' \
        --request POST \
        "https://organization-manager.api.cloud.yandex.net/organization-manager/v1/organizations/${ORGANIZATION_ID}:updateAccessBindings"
      ```

{% endlist %}

#### What's next {#what-is-next}

* [Creating a static access key](../authentication/manage-access-keys.md#create-access-key).
* [Setting up service account access permissions](set-access-bindings.md).
* [Assign multiple roles at once](../roles/grant.md#multiple-roles).