[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for PostgreSQL](../index.md) > [Step-by-step guides](index.md) > Clusters > Managing cluster access

# Managing access to a Managed Service for PostgreSQL cluster

You can assign a user or service account a [role](../security/index.md) that grants access to a specific [cluster](../concepts/index.md).

Thus, you can granularly assign different roles for particular clusters to different users and service accounts.


## Getting a list of roles assigned for a cluster {#list-access-bindings}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. To get a list of clusters in the default [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), run this command:

      ```bash
      yc managed-postgresql cluster list
      ```

  1. To get a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-postgresql cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.ListAccessBindings](../api-ref/Cluster/listAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-postgresql/v1/clusters/<cluster_ID>:listAccessBindings'
      ```

  1. View the [server response](../api-ref/Cluster/listAccessBindings.md#yandex.cloud.access.ListAccessBindingsResponse) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.ListAccessBindings](../api-ref/grpc/Cluster/listAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/postgresql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>"
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.postgresql.v1.ClusterService.ListAccessBindings
      ```

  1. Check the [server response](../api-ref/grpc/Cluster/listAccessBindings.md#yandex.cloud.access.ListAccessBindingsResponse) to make sure your request was successful.

{% endlist %}


## Assigning a role {#add-access-binding}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the description of the CLI command for assigning a role for a cluster:

      ```bash
      yc managed-postgresql cluster add-access-binding --help
      ```

  1. Use this command to assign a role:

      ```bash
      yc managed-postgresql cluster add-access-binding <cluster_name_or_ID> \
        --role <role> \
        --subject <subject_type>:<subject_ID>
      ```

      Where:

      * `--role`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-postgresql.editor`.
      * `--subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-postgresql cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-postgresql/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "<role>",
                        "subject": {
                          "id": "<subject_ID>",
                          "type": "<subject_type>"
                        }
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-postgresql.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.UpdateAccessBindings](../api-ref/grpc/Cluster/updateAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/postgresql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "<role>",
                    "subject": {
                      "id": "<subject_ID>",
                      "type": "<subject_type>"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.postgresql.v1.ClusterService.UpdateAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-postgresql.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- Terraform {#tf}

  {% note info %}

  To assign roles for a Managed Service for PostgreSQL cluster, use the `yandex_mdb_postgresql_cluster_iam_binding` resource with the `members` parameter.
     
  {% endnote %}

  1. Open the current configuration file with the Managed Service for PostgreSQL cluster description.
 
     For more on how to create this file, see [Creating a PostgreSQL cluster](cluster-create.md).
 
  1. Add a resource description:
   
     ```hcl
     resource "yandex_mdb_postgresql_cluster_iam_binding" "<local_resource_name>" {
       cluster_id = "<cluster_ID>"
       role       = "<role>"
       members    = ["<subject_type>:<subject_ID>"]
     }
     ```

     Where:

     * `cluster_id`: Cluster ID.
     * `role`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-postgresql.editor`.
     * `members`: Array of types and IDs of [subjects](../../iam/concepts/access-control/index.md#subject) the role is assigned to in `<subject_type>:<subject_ID>` format.

       Here is an example:

       * `serviceAccount:${yandex_iam_service_account.mpg_sa.id}`
       * `userAccount:ajerq94v************`
       * `system:allAuthenticatedUsers`

       The possible subject types include:
       
       * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
       * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
       * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
       * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
       
           The possible values of a subject ID are as follows:
       
           * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
           * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
           * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
           * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
       
       To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Make sure the configuration files are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.
  
     For more information, see [this Terraform provider guide](../../terraform/resources/mdb_postgresql_cluster_iam_binding.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../cli/index.md) command:

     ```bash
     yc managed-postgresql cluster list-access-bindings <cluster_name_or_ID>
     ```

{% endlist %}

## Assigning multiple roles {#set-access-bindings}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  {% note alert %}

  The `set-access-bindings` command deletes all roles assigned for the cluster and assigns new ones.

  {% endnote %}

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-postgresql cluster list-access-bindings <cluster_name_or_ID>
      ```

  1. View the description of the CLI command for assigning roles for a cluster:

      ```bash
      yc managed-postgresql cluster set-access-bindings --help
      ```

  1. To assign roles, run this command:

      ```bash
      yc managed-postgresql cluster set-access-bindings <cluster_name_or_ID> \
        --access-binding role=<role>,subject=<subject_type>:<subject_1_ID> \
        --access-binding role=<role>,subject=<subject_type>:<subject_2_ID>
      ```

      Where `--access-binding` assigns a role to a subject. You can assign multiple roles at once by describing each of them in a separate `--access-binding` parameter.

      * `role`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-postgresql.editor`.
      * `subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) you are assigning the role to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

- REST API {#api}

  {% note alert %}

  The `setAccessBindings` method overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  {% endnote %}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.SetAccessBindings](../api-ref/Cluster/setAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request POST \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-postgresql/v1/clusters/<cluster_ID>:setAccessBindings' \
        --data '{
                  "accessBindings": [
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_1_ID>",
                        "type": "<subject_type>"
                      }
                    },
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_2_ID>",
                        "type": "<subject_type>"
                      }
                    },
                    ...
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_N_ID>",
                        "type": "<subject_type>"
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `accessBindings.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-postgresql.editor`.
      * `accessBindings.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `accessBindings.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/setAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  {% note alert %}

  The `ClusterService.SetAccessBindings` method completely overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  {% endnote %}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.SetAccessBindings](../api-ref/grpc/Cluster/setAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/postgresql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "accessBindings": [
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_1_ID>",
                    "type": "<subject_type>"
                  }
                },
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_2_ID>",
                    "type": "<subject_type>"
                  }
                },
                ...
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_N_ID>",
                    "type": "<subject_type>"
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.postgresql.v1.ClusterService.SetAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `accessBindings.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-postgresql.editor`.
      * `accessBindings.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `accessBindings.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/setAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- Terraform {#tf}

  {% note info %}
   
  To assign roles for a Managed Service for PostgreSQL cluster, use the `yandex_mdb_postgresql_cluster_iam_binding` resource with the `members` parameter.
   
  {% endnote %}

  1. Open the current Terraform configuration file describing your infrastructure.

     For more on how to create this file, see [Creating a cluster](cluster-create.md).

  1. Add resource descriptions:

     ```hcl
     resource "yandex_mdb_postgresql_cluster_iam_binding" "<resource_1_local_name>" {
       cluster_id = "<cluster_ID>"
       role       = "<role_1>"
       members    = ["<subject_type>:<subject_ID>"]
     }

     resource "yandex_mdb_postgresql_cluster_iam_binding" "<resource_2_local_name>" {
       cluster_id = "<cluster_ID>"
       role       = "<role_2>"
       members    = ["<subject_type>:<subject_ID>"]
     }
     ```

     Where:

     * `cluster_id`: Cluster ID.
     * `role`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-postgresql.editor`.
     * `members`: Array of types and IDs of [subjects](../../iam/concepts/access-control/index.md#subject) the role is assigned to in `<subject_type>:<subject_ID>` format.

       Here is an example:

       * `serviceAccount:${yandex_iam_service_account.mpg_sa.id}`
       * `userAccount:ajerq94v************`
       * `system:allAuthenticatedUsers`

       The possible subject types include:
       
       * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
       * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
       * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
       * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
       
           The possible values of a subject ID are as follows:
       
           * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
           * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
           * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
           * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
       
       To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Make sure the configuration files are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.

     For more information, see [this Terraform provider guide](../../terraform/resources/mdb_postgresql_cluster_iam_binding.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../cli/index.md) command:

     ```bash
     yc managed-postgresql cluster list-access-bindings <cluster_name_or_ID>
     ```

{% endlist %}

## Revoking a role {#remove-access-binding}

{% list tabs group=instructions %}

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. To view a list of roles assigned for the cluster, run this command:

      ```bash
      yc managed-postgresql cluster list-access-bindings <cluster_name_or_ID>
      ```

  1. View the description of the CLI command for revoking a role for a cluster:

      ```bash
      yc managed-postgresql cluster remove-access-binding --help
      ```
  1. To revoke a role, run this command:

      ```bash
      yc managed-postgresql cluster remove-access-binding <cluster_name_or_ID> \
        --role <role> \
        --subject <subject_type>:<subject_ID>
      ```

      Where:

      * `--role`: [Role](../security/index.md#roles-list) being revoked, e.g., `managed-postgresql.editor`.
      * `--subject`: Type and ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to, in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030************`
          * `userAccount:aje8tj79************`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-postgresql/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "REMOVE",
                      "access_binding": {
                        "role_id": "<role>",
                        "subject": {
                          "id": "<subject_ID>",
                          "type": "<subject_type>"
                        }
                      }
                    }
                  ]
                }'
      ```

      Where:

      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-postgresql.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.UpdateAccessBindings](../api-ref/grpc/Cluster/updateAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/postgresql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "REMOVE",
                  "access_binding": {
                    "role_id": "<role>",
                    "subject": {
                      "id": "<subject_ID>",
                      "type": "<subject_type>"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.postgresql.v1.ClusterService.UpdateAccessBindings
      ```

      Where:

      * `resource_id`: Cluster ID.
      * `access_binding_deltas.roleId`: [Role](../security/index.md#roles-list) being assigned, e.g., `managed-postgresql.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).

  1. Check the [server response](../api-ref/grpc/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- Terraform {#tf}

  {% note info %}

  To revoke roles for a Managed Service for PostgreSQL cluster, use the `yandex_mdb_postgresql_cluster_iam_binding` resource with the `members` parameter.

  {% endnote %}

  1. Open the current Terraform configuration file describing your infrastructure.

     For more on how to create this file, see [Creating a cluster](cluster-create.md).

  1. Find the description of the resource with the role you want to revoke and delete this description:

     ```hcl
     resource "yandex_mdb_postgresql_cluster_iam_binding" "<local_resource_name>" {
       cluster_id = "<cluster_ID>"
       role       = "<role>"
       members    = ["<subject_type>:<subject_ID>"]
     }
     ```

  1. Make sure the configuration files are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.

     For more information, see [this Terraform provider guide](../../terraform/resources/mdb_postgresql_cluster_iam_binding.md).

  1. To view a list of roles assigned for the cluster, run this [CLI](../../cli/index.md) command:

     ```bash
     yc managed-postgresql cluster list-access-bindings <cluster_name_or_ID>
     ```

{% endlist %}

## Examples {#examples}

### Granting cluster management access to a service account {#sa-cluster-control}

For a service account to be able to view the info of all Managed Service for PostgreSQL clusters in the folder but modify the resources in one particular cluster alone, give it the `managed-postgresql.viewer` role for the folder and the `managed-postgresql.editor` role for that cluster:

{% list tabs group=instructions %}

- CLI {#cli}

  1. Assign the role for the folder:

      ```bash
      yc resource-manager folder add-access-binding <folder_name_or_ID> \
        --role managed-postgresql.viewer \
        --subject=serviceAccount:<service_account_ID>
      ```

  1. Assign the roles for the cluster:

      ```bash
      yc managed-postgresql cluster add-access-bindings <cluster_name_or_ID> \
        --access-binding role=managed-postgresql.editor,subject=serviceAccount:<service_account_ID>
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      yc managed-postgresql cluster list-access-bindings <cluster_name_or_ID>
      ```

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Assign the role for the folder:

      ```bash
      curl \
        --request POST \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "managed-postgresql.viewer",
                        "subject": {
                          "id": "<service_account_ID>",
                          "type": "serviceAccount"
                        }
                      }
                    }
                  ]
                }'
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-postgresql/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "managed-postgresql.editor",
                        "subject": {
                          "id": "<service_account_ID>",
                          "type": "serviceAccount"
                        }
                      }
                    }
                  ]
                }'
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Check the list of roles assigned for the folder:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:updateAccessBindings'
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-postgresql/v1/clusters/<cluster_ID>:listAccessBindings'
      ```

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Assign the role for the folder:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "managed-postgresql.viewer",
                    "subject": {
                      "id": "<service_account_ID>",
                      "type": "serviceAccount"
                    }
                  }
                }
              ]
            }' \
        resource-manager.api.cloud.yandex.net:443 \
        yandex.cloud.resourcemanager.v1.FolderService.UpdateAccessBindings
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Assign the role for the cluster:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/postgresql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "managed-postgresql.editor",
                    "subject": {
                      "id": "<service_account_ID>",
                      "type": "serviceAccount"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.postgresql.v1.ClusterService.UpdateAccessBindings
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Check the list of roles assigned for the folder:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<folder_ID>"
            }' \
        resource-manager.api.cloud.yandex.net:443 \
        yandex.cloud.resourcemanager.v1.FolderService.ListAccessBindings
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/postgresql/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>"
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.postgresql.v1.ClusterService.ListAccessBindings
      ```

- Terraform {#tf}

  1. Open the current Terraform configuration file describing your infrastructure.

     For more on how to create this file, see [Creating a cluster](cluster-create.md).

  1. Add resource descriptions:

     ```hcl
     resource "yandex_resourcemanager_folder_iam_member" "mpg-viewer-account-iam" {
       folder_id   = "<folder_ID>"
       role        = "managed-postgresql.viewer"
       member      = "serviceAccount:<service_account_ID>"
     }

     resource "yandex_mdb_postgresql_cluster_iam_binding" "mpg-cluster-api-editor" {
       cluster_id = "<cluster_ID>"
       role       = "managed-postgresql.editor"
       members    = ["serviceAccount:<service_account_ID>"]
     }
     ```

  1. Make sure the configuration files are correct.

     1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
     1. Run this command:
     
        ```bash
        terraform validate
        ```
     
        Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

     1. Run this command to view the planned changes:
     
        ```bash
        terraform plan
        ```
     
        If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
     
     1. If everything looks correct, apply the changes:
        1. Run this command:
     
           ```bash
           terraform apply
           ```
     
        1. Confirm updating the resources.
        1. Wait for the operation to complete.

{% endlist %}