[Yandex Cloud documentation](../../../index.md) > [Yandex Managed Service for Kubernetes](../../index.md) > [Step-by-step guides](../index.md) > Managing a Kubernetes cluster > Managing access to a Kubernetes cluster

# Managing Managed Service for Kubernetes cluster access

You can assign a user or service account a [role that grants access to the Kubernetes API](../../security/index.md#k8s-api) of a specific [cluster](../../concepts/index.md#kubernetes-cluster).

This allows you to issue granular roles to various users and service accounts for access to individual clusters.

{% note warning %}

Note that besides the role that grants access to the cluster's Kubernetes API, the user also needs a minimum role for viewing folder resources, e.g., [k8s.viewer](../../security/index.md#k8s-viewer) (to view information about all clusters in the folder) or primitive [viewer](../../../iam/security/index.md#viewer) (to view all resources in the folder). 

For example, you can assign the [k8s.viewer](../../security/index.md#k8s-viewer) role for a folder and the [k8s.cluster-api.editor](../../security/index.md#k8s-cluster-api-editor) role to manage Kubernetes resources of a specific cluster. This way, the user can view information about all clusters in the folder but only access the API of a specific cluster.

To manage user view permissions for cluster lists, we recommend using different folders in your cloud.

{% endnote %}

## Getting a list of roles assigned for a cluster {#list-access-bindings}

{% list tabs group=instructions %}

- CLI {#cli}
  
  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.
  
  1. To get a list of clusters in the default [folder](../../../resource-manager/concepts/resources-hierarchy.md#folder), run this command:

      ```bash
      yc managed-kubernetes cluster list
      ```
  
  1. To get a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>
      ```

{% endlist %}

## Assigning a role {#add-access-binding}

{% list tabs group=instructions %}

- CLI {#cli}
  
  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the CLI command for assigning a role for a cluster:
  
      ```bash
      yc managed-kubernetes cluster add-access-binding --help
      ```
  
  1. Use this command to assign a role:

      ```bash
      yc managed-kubernetes cluster add-access-binding <cluster_name_or_ID> \
        --role <role> \
        --subject <subject_type>:<subject_ID>
      ```
      
      Where:

      * `--role`: [Role](../../security/index.md#roles-list) being assigned, e.g., `k8s.cluster-api.editor`.
      * `--subject`: Type and ID of the [subject](../../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.

        Here is an example: 
        
        * `serviceAccount:aje6p030************`
        * `userAccount:aje8tj79************`
        * `system:allAuthenticatedUsers`

        The possible subject types include: 
          
          * `userAccount`: [Yandex account](../../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../../organization/concepts/add-federation.md) user.
          * `group`: [Yandex Identity Hub](../../../organization/index.md) user group.
          * `system`: [Public group](../../../iam/concepts/access-control/public-group.md) of users.
            
            The possible values of a subject ID are as follows:
        
            * `allAuthenticatedUsers`: [All authenticated users](../../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
            * `allUsers`: [Any user](../../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
        
        Learn more about subject types in [Subject a role is assigned to](../../../iam/concepts/access-control/index.md#subject).

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>
      ```      

- Terraform {#tf}

  {% note warning %}
    
  Do not use the `yandex_kubernetes_cluster_iam_member` resource to assign roles managed by `yandex_kubernetes_cluster_iam_binding`.
    
  {% endnote %} 
  
  1. Open the current configuration file with the Managed Service for Kubernetes cluster description.
  
      For more information about creating this file, see [Creating a Managed Service for Kubernetes cluster](kubernetes-cluster-create.md).
  
  1. Add a resource description:
    
      ```hcl
      resource "yandex_kubernetes_cluster_iam_member" "<local_resource_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role>"
        member     = "<subject_type>:<subject_ID>"
      }
      ```

      Where:

      * `cluster_id`: Cluster ID.
      * `role`: [Role](../../security/index.md#roles-list) being assigned, e.g., `k8s.cluster-api.editor`.
      * `member`: Type and ID of the [subject](../../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.
    
        Here is an example: 
        
        * `serviceAccount:${yandex_iam_service_account.k8s_sa.id}`
        * `userAccount:ajerq94v************`
        * `system:allAuthenticatedUsers`

        The possible subject types include: 
          
          * `userAccount`: [Yandex account](../../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../../organization/concepts/add-federation.md) user.
          * `group`: [Yandex Identity Hub](../../../organization/index.md) user group.
          * `system`: [Public group](../../../iam/concepts/access-control/public-group.md) of users.
            
            The possible values of a subject ID are as follows:
        
            * `allAuthenticatedUsers`: [All authenticated users](../../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
            * `allUsers`: [Any user](../../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
        
        Learn more about subject types in [Subject a role is assigned to](../../../iam/concepts/access-control/index.md#subject).

  1. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
      1. Run this command:
      
         ```bash
         terraform validate
         ```
      
         Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

      1. Run this command to view the planned changes:
      
         ```bash
         terraform plan
         ```
      
         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
      
      1. If everything looks correct, apply the changes:
         1. Run this command:
      
            ```bash
            terraform apply
            ```
      
         1. Confirm updating the resources.
         1. Wait for the operation to complete.
      
      For more information, see [this Terraform provider guide](../../../terraform/resources/kubernetes_cluster.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../../cli/index.md) command:
    
      ```bash
      yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>
      ```

{% endlist %}

## Assigning multiple roles {#set-access-bindings}

{% list tabs group=instructions %}

- CLI {#cli}
  
  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  {% note alert %}

  The `set-access-bindings` command deletes all roles assigned for the cluster and assigns new ones.
  
  {% endnote %}  

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>
      ```
  
  1. View the description of the CLI command for assigning roles for a cluster:
  
      ```bash
      yc managed-kubernetes cluster set-access-bindings --help
      ```

  1. To assign roles, run this command:

      ```bash
      yc managed-kubernetes cluster set-access-bindings <cluster_name_or_ID> \
        --access-binding role=<role_1>,subject=<subject_type>:<subject_1_ID> \
        --access-binding role=<role_2>,subject=<subject_type>:<subject_2_ID>
      ```
    
      Where `--access-binding` assigns a role to a subject. You can assign multiple roles at once by describing each of them in a separate `--access-binding` parameter.
      
        * `role`: [Role](../../security/index.md#roles-list) being assigned, e.g., `k8s.cluster-api.editor`.
        * `subject`: Type and ID of the [subject](../../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.

          Here is an example:
          
          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include: 
            
            * `userAccount`: [Yandex account](../../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../../organization/concepts/user-pools.md).
            * `serviceAccount`: [Service account](../../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
            * `federatedUser`: Account of an [identity federation](../../../organization/concepts/add-federation.md) user.
            * `group`: [Yandex Identity Hub](../../../organization/index.md) user group.
            * `system`: [Public group](../../../iam/concepts/access-control/public-group.md) of users.
              
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
          
          Learn more about subject types in [Subject a role is assigned to](../../../iam/concepts/access-control/index.md#subject).

- Terraform {#tf}

  {% note warning %}
    
  Do not use the `yandex_kubernetes_cluster_iam_member` resource to assign roles managed by `yandex_kubernetes_cluster_iam_binding`.
    
  {% endnote %} 

  1. Open the current Terraform configuration file describing your infrastructure.
  
      For more information about creating this file, see [this guide](kubernetes-cluster-create.md).

  1. Add resource descriptions:
    
      ```hcl
      resource "yandex_kubernetes_cluster_iam_member" "<resource_1_local_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role_1>"
        member     = "<subject_type>:<subject_ID>"
      }

      resource "yandex_kubernetes_cluster_iam_member" "<resource_2_local_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role_2>"
        member     = "<subject_type>:<subject_ID>"
      }
      ```

      Where:

      * `cluster_id`: Cluster ID.
      * `role`: [Role](../../security/index.md#roles-list) being assigned, e.g., `k8s.cluster-api.editor`.
      * `member`: Type and ID of the [subject](../../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.
    
        Here is an example:
        
        * `serviceAccount:${yandex_iam_service_account.k8s_sa.id}`
        * `userAccount:ajerq94v************`
        * `system:allAuthenticatedUsers`

        The possible subject types include: 
          
          * `userAccount`: [Yandex account](../../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../../organization/concepts/add-federation.md) user.
          * `group`: [Yandex Identity Hub](../../../organization/index.md) user group.
          * `system`: [Public group](../../../iam/concepts/access-control/public-group.md) of users.
            
            The possible values of a subject ID are as follows:
        
            * `allAuthenticatedUsers`: [All authenticated users](../../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
            * `allUsers`: [Any user](../../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
        
        Learn more about subject types in [Subject a role is assigned to](../../../iam/concepts/access-control/index.md#subject).

  1. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
      1. Run this command:
      
         ```bash
         terraform validate
         ```
      
         Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

      1. Run this command to view the planned changes:
      
         ```bash
         terraform plan
         ```
      
         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
      
      1. If everything looks correct, apply the changes:
         1. Run this command:
      
            ```bash
            terraform apply
            ```
      
         1. Confirm updating the resources.
         1. Wait for the operation to complete.
      
      For more information, see [this Terraform provider guide](../../../terraform/resources/kubernetes_cluster.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../../cli/index.md) command:
    
      ```bash
      yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>
      ```

{% endlist %}

## Revoking a role {#remove-access-binding}

{% list tabs group=instructions %}

- CLI {#cli}
  
  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>
      ```
  
  1. View the description of the CLI command for revoking a role for a cluster:
  
      ```bash
      yc managed-kubernetes cluster remove-access-binding --help
      ```
  1. To revoke a role, run this command:

      ```bash
      yc managed-kubernetes cluster remove-access-binding <cluster_name_or_ID> \
        --role <role> \
        --subject <subject_type>:<subject_ID>
      ```

      Where:

      * `--role`: [Role](../../security/index.md#roles-list) being revoked, e.g., `k8s.cluster-api.editor`.
      * `--subject`: Type and ID of the [subject](../../../iam/concepts/access-control/index.md#subject) the role is assigned to, in `<subject_type>:<subject_ID>` format.

        Here is an example:
        
        * `serviceAccount:aje6p030************`
        * `userAccount:aje8tj79************`
        * `system:allAuthenticatedUsers`

        The possible subject types include: 
          
          * `userAccount`: [Yandex account](../../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../../organization/concepts/add-federation.md) user.
          * `group`: [Yandex Identity Hub](../../../organization/index.md) user group.
          * `system`: [Public group](../../../iam/concepts/access-control/public-group.md) of users.
            
            The possible values of a subject ID are as follows:
        
            * `allAuthenticatedUsers`: [All authenticated users](../../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
            * `allUsers`: [Any user](../../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
        
        Learn more about subject types in [Subject a role is assigned to](../../../iam/concepts/access-control/index.md#subject).


- Terraform {#tf}

  {% note warning %}
    
  Do not use the `yandex_kubernetes_cluster_iam_member` resource to assign roles managed by `yandex_kubernetes_cluster_iam_binding`.
    
  {% endnote %} 

  1. Open the current Terraform configuration file describing your infrastructure.
  
      For more information about creating this file, see [this guide](kubernetes-cluster-create.md).

  1. Find the description of the resource with the role you want to revoke and delete this description:
    
      ```hcl
      resource "yandex_kubernetes_cluster_iam_member" "<local_resource_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role>"
        member     = "<subject_type>:<subject_ID>"
      }
      ```

  1. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
      1. Run this command:
      
         ```bash
         terraform validate
         ```
      
         Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

      1. Run this command to view the planned changes:
      
         ```bash
         terraform plan
         ```
      
         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
      
      1. If everything looks correct, apply the changes:
         1. Run this command:
      
            ```bash
            terraform apply
            ```
      
         1. Confirm updating the resources.
         1. Wait for the operation to complete.
      
      For more information, see [this Terraform provider guide](../../../terraform/resources/kubernetes_cluster.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../../cli/index.md) command:
    
      ```bash
      yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>
      ```

{% endlist %}

## Examples {#examples}

### Granting cluster management access to a service account {#sa-cluster-control}

1. To enable a service account to view information about all Managed Service for Kubernetes clusters in the folder but only modify Kubernetes resources in one specific cluster, assign it the `k8s.viewer` role for the folder and the `k8s.cluster-api.editor` role for that cluster:

    {% list tabs group=instructions %}

    - CLI {#cli}

      1. Assign the role for the folder:
  
          ```bash
          yc resource-manager folder add-access-binding \
            --id <folder_ID> \
            --role k8s.viewer \
            --subject=serviceAccount:<service_account_ID>
          ```

      1. Assign the roles for the cluster:

          ```bash
          yc managed-kubernetes cluster set-access-bindings <cluster_name_or_ID> \
            --access-binding role=k8s.cluster-api.editor,subject=serviceAccount:<service_account_ID>
          ```

    - Terraform {#tf}

      1. Open the current Terraform configuration file describing your infrastructure.
  
          For information on how to create this file, see [Creating a cluster](kubernetes-cluster-create.md).

      1. Add resource descriptions:

          ```hcl
          resource "yandex_resourcemanager_folder_iam_member" "k8s-viewer-account-iam" {
            folder_id   = "<folder_ID>"
            role        = "k8s.viewer"
            member      = "serviceAccount:<service_account_ID>"
          }

          resource "yandex_kubernetes_cluster_iam_member" "k8s-cluster-api-editor" {
            cluster_id = "<cluster_ID>"
            role       = "k8s.cluster-api.editor"
            member     = "serviceAccount:<service_account_ID>"
          }
          ```

      1. Make sure the configuration files are correct.

          1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
          1. Run this command:
          
             ```bash
             terraform validate
             ```
          
             Terraform will show any errors found in your configuration files.

      1. Confirm updating the resources.

          1. Run this command to view the planned changes:
          
             ```bash
             terraform plan
             ```
          
             If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
          
          1. If everything looks correct, apply the changes:
             1. Run this command:
          
                ```bash
                terraform apply
                ```
          
             1. Confirm updating the resources.
             1. Wait for the operation to complete.

    {% endlist %}

1. To view a list of roles assigned for the cluster, run this [CLI](../../../cli/index.md) command:

    ```bash
    yc managed-kubernetes cluster list-access-bindings <cluster_name_or_ID>
    ```