[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for MySQL®](../index.md) > [Step-by-step guides](index.md) > Clusters > Managing cluster access

# Managing access to a Managed Service for MySQL® cluster

You can assign a user or service account a [role](../security/index.md) that grants access to a specific [cluster](../concepts/index.md).

Thus, you can granularly assign different roles for particular clusters to different users and service accounts.


## Getting a list of roles assigned for a cluster {#list-access-bindings}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. To get a list of clusters in the default [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), run this command:

      ```bash
      yc managed-mysql cluster list
      ```

  1. To get a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-mysql cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.ListAccessBindings](../api-ref/Cluster/listAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>:listAccessBindings'
      ```

  1. View the [server response](../api-ref/Cluster/listAccessBindings.md#yandex.cloud.access.ListAccessBindingsResponse) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.ListAccessBindings](../api-ref/grpc/Cluster/listAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>"
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.mysql.v1.ClusterService.ListAccessBindings
      ```

  1. Check the [server response](../api-ref/grpc/Cluster/listAccessBindings.md#yandex.cloud.access.ListAccessBindingsResponse) to make sure your request was successful.

{% endlist %}


## Assigning a role {#add-access-binding}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the CLI command for assigning a role for a cluster:

      ```bash
      yc managed-mysql cluster add-access-binding --help
      ```

  1. Use this command to assign a role:

      ```bash
      yc managed-mysql cluster add-access-binding <cluster_name_or_ID> \
        --role <role> \
        --subject <subject_type>:<subject_ID>
      ```

      Where:

      * `--role`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-mysql.editor`.
      * `--subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-mysql cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "<role>",
                        "subject": {
                          "id": "<subject_ID>",
                          "type": "<subject_type>"
                        }
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-mysql.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.UpdateAccessBindings](../api-ref/grpc/Cluster/updateAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "<role>",
                    "subject": {
                      "id": "<subject_ID>",
                      "type": "<subject_type>"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.mysql.v1.ClusterService.UpdateAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-mysql.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- Terraform {#tf}

   {% note info %}

   To assign roles for a Managed Service for MySQL® cluster, use the `yandex_mdb_mysql_cluster_iam_binding` resource with the `members` parameter.

   {% endnote %}

  1. Open the current configuration file with the Managed Service for MySQL® cluster description.

     For more on how to create this file, see [Creating a MySQL® cluster](cluster-create.md).

  1. Add a resource description:

     ```hcl
     resource "yandex_mdb_mysql_cluster_iam_binding" "<local_resource_name>" {
       cluster_id = "<cluster_ID>"
       role       = "<role>"
       members    = ["<subject_type>:<subject_ID>"]
     }
     ```

     Where:

     * `cluster_id`: Cluster ID.
     * `role`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-mysql.editor`.
     * `members`: Array of types and IDs of [subjects](../../iam/concepts/access-control/index.md#subject) the role is assigned to in `<subject_type>:<subject_ID>` format.
   
       Here is an example:
       
       * `serviceAccount:${yandex_iam_service_account.mmy_sa.id}`
       * `userAccount:ajerq94v************`
       * `system:allAuthenticatedUsers`

       The possible subject types include:
       
       * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
       * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
       * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
       * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
       
           The possible values of a subject ID are as follows:
       
           * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
           * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
           * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
           * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
       
       To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Make sure the configuration files are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.
     
     For more information, see [this Terraform provider guide](../../terraform/resources/mdb_mysql_cluster_iam_binding.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../cli/index.md) command:
   
     ```bash
     yc managed-mysql cluster list-access-bindings <cluster_name_or_ID>
     ```

{% endlist %}

## Assigning multiple roles {#set-access-bindings}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  {% note alert %}

  The `set-access-bindings` command deletes all roles assigned for the cluster and assigns new ones.

  {% endnote %}

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-mysql cluster list-access-bindings <cluster_name_or_ID>
      ```

  1. View the description of the CLI command for assigning roles for a cluster:

      ```bash
      yc managed-mysql cluster set-access-bindings --help
      ```

  1. To assign roles, run this command:

      ```bash
      yc managed-mysql cluster set-access-bindings <cluster_name_or_ID> \
        --access-binding role=<role>,subject=<subject_type>:<subject_1_ID> \
        --access-binding role=<role>,subject=<subject_type>:<subject_2_ID>
      ```

      Where `--access-binding` assigns a role to a subject. You can assign multiple roles at once by describing each of them in a separate `--access-binding` parameter.

      * `role`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-mysql.editor`.
      * `subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

- REST API {#api}

  {% note alert %}

  The `setAccessBindings` method overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  {% endnote %}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.SetAccessBindings](../api-ref/Cluster/setAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request POST \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>:setAccessBindings' \
        --data '{
                  "accessBindings": [
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_1_ID>",
                        "type": "<subject_type>"
                      }
                    },
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_2_ID>",
                        "type": "<subject_type>"
                      }
                    },
                    ...
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_N_ID>",
                        "type": "<subject_type>"
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `accessBindings.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-mysql.editor`.
      * `accessBindings.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `accessBindings.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/setAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  {% note alert %}

  The `ClusterService.SetAccessBindings` method completely overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  {% endnote %}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.SetAccessBindings](../api-ref/grpc/Cluster/setAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "accessBindings": [
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_1_ID>",
                    "type": "<subject_type>"
                  }
                },
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_2_ID>",
                    "type": "<subject_type>"
                  }
                },
                ...
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_N_ID>",
                    "type": "<subject_type>"
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.mysql.v1.ClusterService.SetAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `accessBindings.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-mysql.editor`.
      * `accessBindings.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `accessBindings.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/setAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- Terraform {#tf}

   {% note info %}

   To assign roles for a Managed Service for MySQL® cluster, use the `yandex_mdb_mysql_cluster_iam_binding` resource with the `members` parameter.

   {% endnote %}

  1. Open the current Terraform configuration file describing your infrastructure.

     For more on how to create this file, see [Creating a cluster](cluster-create.md).

  1. Add resource descriptions:

     ```hcl
     resource "yandex_mdb_mysql_cluster_iam_binding" "<resource_1_local_name>" {
       cluster_id = "<cluster_ID>"
       role       = "<role_1>"
       members    = ["<subject_type>:<subject_ID>"]
     }

     resource "yandex_mdb_mysql_cluster_iam_binding" "<resource_2_local_name>" {
       cluster_id = "<cluster_ID>"
       role       = "<role_2>"
       members    = ["<subject_type>:<subject_ID>"]
     }
     ```

     Where:

     * `cluster_id`: Cluster ID.
     * `role`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-mysql.editor`.
     * `members`: Array of types and IDs of [subjects](../../iam/concepts/access-control/index.md#subject) the role is assigned to in `<subject_type>:<subject_ID>` format.

       Here is an example:

       * `serviceAccount:${yandex_iam_service_account.mmy_sa.id}`
       * `userAccount:ajerq94v************`
       * `system:allAuthenticatedUsers`

       The possible subject types include:
       
       * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
       * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
       * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
       * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
       
           The possible values of a subject ID are as follows:
       
           * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
           * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
           * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
           * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
       
       To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Make sure the configuration files are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.

     For more information, see [this Terraform provider guide](../../terraform/resources/mdb_mysql_cluster_iam_binding.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../cli/index.md) command:

     ```bash
     yc managed-mysql cluster list-access-bindings <cluster_name_or_ID>
     ```

{% endlist %}

## Revoking a role {#remove-access-binding}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-mysql cluster list-access-bindings <cluster_name_or_ID>
      ```

  1. View the description of the CLI command for revoking a role for a cluster:

      ```bash
      yc managed-mysql cluster remove-access-binding --help
      ```
  1. To revoke a role, run this command:

      ```bash
      yc managed-mysql cluster remove-access-binding <cluster_name_or_ID> \
        --role <role> \
        --subject <subject_type>:<subject_ID>
      ```

      Where:

      * `--role`: [Role](../security/index.md#roles-list) being revoked, e.g., `managed-mysql.editor`.
      * `--subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "REMOVE",
                      "access_binding": {
                        "role_id": "<role>",
                        "subject": {
                          "id": "<subject_ID>",
                          "type": "<subject_type>"
                        }
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-mysql.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.UpdateAccessBindings](../api-ref/grpc/Cluster/updateAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "REMOVE",
                  "access_binding": {
                    "role_id": "<role>",
                    "subject": {
                      "id": "<subject_ID>",
                      "type": "<subject_type>"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.mysql.v1.ClusterService.UpdateAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-mysql.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- Terraform {#tf}

  {% note info %}

  To revoke roles for a Managed Service for MySQL® cluster, use the `yandex_mdb_mysql_cluster_iam_binding` resource with the `members` parameter.

  {% endnote %}

  1. Open the current Terraform configuration file describing your infrastructure.

     For more on how to create this file, see [Creating a cluster](cluster-create.md).

  1. Find the description of the resource with the role you want to revoke and delete this description:

     ```hcl
     resource "yandex_mdb_mysql_cluster_iam_binding" "<local_resource_name>" {
       cluster_id = "<cluster_ID>"
       role       = "<role>"
       members    = ["<subject_type>:<subject_ID>"]
     }
     ```

  1. Make sure the configuration files are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.
     
     For more information, see [this Terraform provider guide](../../terraform/resources/mdb_mysql_cluster_iam_binding.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../cli/index.md) command:

     ```bash
     yc managed-mysql cluster list-access-bindings <cluster_name_or_ID>
     ```

{% endlist %}

## Examples {#examples}

### Granting cluster management access to a service account {#sa-cluster-control}

For a service account to be able to view the info of all Managed Service for MySQL® clusters in the folder but modify the resources in one particular cluster alone, give it the `managed-mysql.viewer` role for the folder and the `managed-mysql.editor` role for that cluster:

{% list tabs group=instructions %}

- CLI {#cli}

  1. Assign the role for the folder:

      ```bash
      yc resource-manager folder add-access-binding <folder_name_or_ID> \
        --role managed-mysql.viewer \
        --subject=serviceAccount:<service_account_ID>
      ```

  1. Assign the roles for the cluster:

      ```bash
      yc managed-mysql cluster add-access-bindings <cluster_name_or_ID> \
        --access-binding role=managed-mysql.editor,subject=serviceAccount:<service_account_ID>
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      yc managed-mysql cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Assign the role for the folder:

      ```bash
      curl \
        --request POST \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "managed-mysql.viewer",
                        "subject": {
                          "id": "<service_account_ID>",
                          "type": "serviceAccount"
                        }
                      }
                    }
                  ]
                }'
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "managed-mysql.editor",
                        "subject": {
                          "id": "<service_account_ID>",
                          "type": "serviceAccount"
                        }
                      }
                    }
                  ]
                }'
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Check the list of roles assigned for the folder:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:updateAccessBindings'
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-mysql/v1/clusters/<cluster_ID>:listAccessBindings'
      ```

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Assign the role for the folder:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "managed-mysql.viewer",
                    "subject": {
                      "id": "<service_account_ID>",
                      "type": "serviceAccount"
                    }
                  }
                }
              ]
            }' \
        resource-manager.api.cloud.yandex.net:443 \
        yandex.cloud.resourcemanager.v1.FolderService.UpdateAccessBindings
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Assign the role for the cluster:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "managed-mysql.editor",
                    "subject": {
                      "id": "<service_account_ID>",
                      "type": "serviceAccount"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.mysql.v1.ClusterService.UpdateAccessBindings
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Check the list of roles assigned for the folder:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<folder_ID>"
            }' \
        resource-manager.api.cloud.yandex.net:443 \
        yandex.cloud.resourcemanager.v1.FolderService.ListAccessBindings
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/mysql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>"
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.mysql.v1.ClusterService.ListAccessBindings
      ```

- Terraform {#tf}

  1. Open the current Terraform configuration file describing your infrastructure.

     For more on how to create this file, see [Creating a cluster](cluster-create.md).

  1. Add resource descriptions:

     ```hcl
     resource "yandex_resourcemanager_folder_iam_member" "mmy-viewer-account-iam" {
       folder_id   = "<folder_ID>"
       role        = "managed-mysql.viewer"
       member      = "serviceAccount:<service_account_ID>"
     }

     resource "yandex_mdb_mysql_cluster_iam_binding" "mmy-cluster-api-editor" {
       cluster_id = "<cluster_ID>"
       role       = "managed-mysql.editor"
       members    = ["serviceAccount:<service_account_ID>"]
     }
     ```

  1. Make sure the configuration files are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.

{% endlist %}