[Yandex Cloud documentation](../../index.md) > [Yandex Managed Service for Sharded PostgreSQL](../index.md) > [Step-by-step guides](index.md) > Managing cluster access

# Managing access to a Managed Service for Sharded PostgreSQL cluster

You can assign a user or service account a [role](../security.md) that grants access to a specific [cluster](../concepts/index.md).

This allows you to issue granular roles to various users and service accounts for access to individual clusters.


{% note warning %}

Take note that apart from the role for access to the cluster, the user also needs the minimum role to view the folder's resources, e.g., [managed-spqr.viewer](../security.md#managed-spqr-viewer) (to view the info about all the folder's clusters) or the primitive [viewer](../../iam/security/index.md#viewer) (to view all the folder's resources).

For example, you can issue the [managed-spqr.viewer](../security.md#managed-spqr-viewer) role for a folder and the [managed-spqr.editor](../security.md#managed-spqr-editor) role for a specific cluster. This will enable the user to view the info about all the folder's clusters while using only one particular cluster.

To manage user view permissions for cluster lists, we recommend using different folders in your cloud.

{% endnote %}


## Getting a list of roles assigned for a cluster {#list-access-bindings}

{% list tabs group=instructions %}

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.ListAccessBindings](../api-ref/Cluster/listAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>:listAccessBindings'
      ```

  1. View the [server response](../api-ref/Cluster/listAccessBindings.md#yandex.cloud.access.ListAccessBindingsResponse) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.ListAccessBindings](../api-ref/grpc/Cluster/listAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>"
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.spqr.v1.ClusterService.ListAccessBindings
      ```

  1. Check the [server response](../api-ref/grpc/Cluster/listAccessBindings.md#yandex.cloud.access.ListAccessBindingsResponse) to make sure your request was successful.

{% endlist %}

## Assigning a role {#add-access-binding}

{% list tabs group=instructions %}

- Terraform {#tf}

  1. Open the current configuration file with the Managed Service for Sharded PostgreSQL cluster description.

      For information on how to create this file, see [Creating a Sharded PostgreSQL cluster](cluster-create.md).

  1. Add a resource description:

      ```hcl
      resource "yandex_mdb_sharded_postgresql_cluster_iam_binding" "<local_resource_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role>"
        members    = [
          "<subject_type>:<subject_ID>"
        ]
      }
      ```

            
      Where:

      * `cluster_id`: Cluster ID.
      * `role`: [Role](../security.md#roles-list), e.g., `managed-spqr.editor`.
      * `members`: List of [subjects](../../iam/concepts/access-control/index.md#subject) the role is assigned to in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030123a********`
          * `userAccount:ajerq94vab34********`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).


  1. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
      1. Run this command:
      
         ```bash
         terraform validate
         ```
      
         Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

      1. Run this command to view the planned changes:
      
         ```bash
         terraform plan
         ```
      
         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
      
      1. If everything looks correct, apply the changes:
         1. Run this command:
      
            ```bash
            terraform apply
            ```
      
         1. Confirm updating the resources.
         1. Wait for the operation to complete.

      For more information, see [this Terraform provider guide](../../terraform/resources/mdb_sharded_postgresql_cluster_iam_binding.md).

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "<role>",
                        "subject": {
                          "id": "<subject_ID>",
                          "type": "<subject_type>"
                        }
                      }
                    }
                  ]
                }'
      ```

      
      Where:

      * `access_binding_deltas.roleId`: [Role](../security.md#roles-list), e.g., `managed-spqr.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).



  1. Check the [server response](../api-ref/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.UpdateAccessBindings](../api-ref/grpc/Cluster/updateAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "<role>",
                    "subject": {
                      "id": "<subject_ID>",
                      "type": "<subject_type>"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.spqr.v1.ClusterService.UpdateAccessBindings
      ```
      
      Where:

      * `resource_id`: Cluster ID.
      * `access_binding_deltas.roleId`: [Role](../security.md#roles-list), e.g., `managed-spqr.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).
      


  1. Check the [server response](../api-ref/grpc/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

## Assigning multiple roles {#set-access-bindings}

{% list tabs group=instructions %}

- Terraform {#tf}

  1. Open the current Terraform configuration file with the infrastructure plan.

      For information on how to create this file, see [Creating a cluster](cluster-create.md).

  1. Add resource descriptions:

      ```hcl
      resource "yandex_mdb_sharded_postgresql_cluster_iam_binding" "<resource_1_local_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role_1>"
        members    = [
          "<subject_type>:<subject_1_ID>",
          "<subject_type>:<subject_2_ID>"
        ]
      }

      resource "yandex_mdb_sharded_postgresql_cluster_iam_binding" "<resource_2_local_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role_2>"
        members    = [
          "<subject_type>:<subject_3_ID>"
        ]
      }
      ```

      
      Where:

      * `cluster_id`: Cluster ID.
      * `role`: [Role](../security.md#roles-list), e.g., `managed-spqr.editor`.
      * `members`: List of [subjects](../../iam/concepts/access-control/index.md#subject) the role is assigned to in `<subject_type>:<subject_ID>` format.

          Here is an example:

          * `serviceAccount:aje6p030123a********`
          * `userAccount:ajerq94vab34********`
          * `system:allAuthenticatedUsers`

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).


  1. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
      1. Run this command:
      
         ```bash
         terraform validate
         ```
      
         Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

      1. Run this command to view the planned changes:
      
         ```bash
         terraform plan
         ```
      
         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
      
      1. If everything looks correct, apply the changes:
         1. Run this command:
      
            ```bash
            terraform apply
            ```
      
         1. Confirm updating the resources.
         1. Wait for the operation to complete.

      For more information, see [this Terraform provider guide](../../terraform/resources/mdb_sharded_postgresql_cluster_iam_binding.md).

- REST API {#api}

  {% note alert %}

  The `setAccessBindings` method overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  {% endnote %}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.SetAccessBindings](../api-ref/Cluster/setAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request POST \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>:setAccessBindings' \
        --data '{
                  "accessBindings": [
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_1_ID>",
                        "type": "<subject_type>"
                      }
                    },
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_2_ID>",
                        "type": "<subject_type>"
                      }
                    },
                    ...
                    {
                      "roleId": "<role>",
                      "subject": {
                        "id": "<subject_N_ID>",
                        "type": "<subject_type>"
                      }
                    }
                  ]
                }'
      ```

      
      Where:

      * `accessBindings.roleId`: [Role](../security.md#roles-list), e.g., `managed-spqr.editor`.
      * `accessBindings.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `accessBindings.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).



  1. Check the [server response](../api-ref/Cluster/setAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  {% note alert %}

  The `ClusterService.SetAccessBindings` method completely overwrites access permissions for the resource. All roles previously assigned for this resource will be deleted.

  {% endnote %}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.SetAccessBindings](../api-ref/grpc/Cluster/setAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "accessBindings": [
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_1_ID>",
                    "type": "<subject_type>"
                  }
                },
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_2_ID>",
                    "type": "<subject_type>"
                  }
                },
                ...
                {
                  "roleId": "<role>",
                  "subject": {
                    "id": "<subject_N_ID>",
                    "type": "<subject_type>"
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.spqr.v1.ClusterService.SetAccessBindings
      ```

      
      Where:

      * `resource_id`: Cluster ID.
      * `accessBindings.roleId`: [Role](../security.md#roles-list), e.g., `managed-spqr.editor`.
      * `accessBindings.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `accessBindings.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).



  1. Check the [server response](../api-ref/grpc/Cluster/setAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

## Revoking a role {#remove-access-binding}

{% list tabs group=instructions %}

- Terraform {#tf}

  1. Open the current Terraform configuration file with the infrastructure plan.

      For information on how to create this file, see [Creating a cluster](cluster-create.md).

  1. Find the description of the resource with the role you want to revoke and delete this description:

      ```hcl
      resource "yandex_mdb_sharded_postgresql_cluster_iam_binding" "<local_resource_name>" {
        cluster_id = "<cluster_ID>"
        role       = "<role>"
        members    = [
          "<subject_type>:<subject_ID>"
        ]
      }
      ```

  1. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
      1. Run this command:
      
         ```bash
         terraform validate
         ```
      
         Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

      1. Run this command to view the planned changes:
      
         ```bash
         terraform plan
         ```
      
         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
      
      1. If everything looks correct, apply the changes:
         1. Run this command:
      
            ```bash
            terraform apply
            ```
      
         1. Confirm updating the resources.
         1. Wait for the operation to complete.

      For more information, see [this Terraform provider guide](../../terraform/resources/mdb_sharded_postgresql_cluster_iam_binding.md).

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "REMOVE",
                      "access_binding": {
                        "role_id": "<role>",
                        "subject": {
                          "id": "<subject_ID>",
                          "type": "<subject_type>"
                        }
                      }
                    }
                  ]
                }'
      ```

      
      Where:

      * `access_binding_deltas.roleId`: [Role](../security.md#roles-list), e.g., `managed-spqr.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).


  1. Check the [server response](../api-ref/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Call the [ClusterService.UpdateAccessBindings](../api-ref/grpc/Cluster/updateAccessBindings.md) method, e.g., via the following [gRPCurl](https://github.com/fullstorydev/grpcurl) request:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "REMOVE",
                  "access_binding": {
                    "role_id": "<role>",
                    "subject": {
                      "id": "<subject_ID>",
                      "type": "<subject_type>"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.spqr.v1.ClusterService.UpdateAccessBindings
      ```

      
      Where:

      * `resource_id`: Cluster ID.
      * `access_binding_deltas.roleId`: [Role](../security.md#roles-list), e.g., `managed-spqr.editor`.
      * `access_binding_deltas.subject.id`: ID of the [subject](../../iam/concepts/access-control/index.md#subject) the role is assigned to.
      * `access_binding_deltas.subject.type`: Type of subject the role is assigned to.

          The possible subject types include:
          
          * `userAccount`: [Yandex account](../../iam/concepts/users/accounts.md#passport) added to Yandex Cloud or an account from a [user pool](../../organization/concepts/user-pools.md).
          * `serviceAccount`: [Service account](../../iam/concepts/users/service-accounts.md) created in Yandex Cloud.
          * `federatedUser`: Account of an [identity federation](../../organization/concepts/add-federation.md) user.
          * `system`: [Public group](../../iam/concepts/access-control/public-group.md) of users.
          
              The possible values of a subject ID are as follows:
          
              * `allAuthenticatedUsers`: [All authenticated users](../../iam/concepts/access-control/public-group.md#allAuthenticatedUsers).
              * `allUsers`: [Any user](../../iam/concepts/access-control/public-group.md#allUsers). No authentication is required.
              * `group:organization:<organization_ID>:users`: All users of the specified [organization](../../organization/concepts/organization.md).
              * `group:federation:<federation_ID>:users`: All users of the specified identity federation.
          
          To learn more about subject types, see [Subject getting the role](../../iam/concepts/access-control/index.md#subject).


  1. Check the [server response](../api-ref/grpc/Cluster/updateAccessBindings.md#yandex.cloud.operation.Operation) to make sure your request was successful.

{% endlist %}

## Examples {#examples}

### Granting cluster management access to a service account {#sa-cluster-control}

For a service account to be able to view the info of all Managed Service for Sharded PostgreSQL clusters in the folder but modify the resources in one particular cluster alone, give it the `managed-spqr.viewer` role for the folder and the `managed-spqr.editor` role for that cluster:

{% list tabs group=instructions %}

- Terraform {#tf}

  1. Open the current Terraform configuration file with the infrastructure plan.

      For information on how to create this file, see [Creating a cluster](cluster-create.md).

  1. Add a resource description:

      ```hcl
      resource "yandex_mdb_sharded_postgresql_cluster_iam_binding" "spqr-cluster-editor" {
        cluster_id = "<cluster_ID>"
        role       = "managed-spqr.editor"
        members    = [
          "serviceAccount:<service_account_ID>"
        ]
      }
      ```

      
      Where:

      * `cluster_id`: Cluster ID.
      * `role`: [Role](../security.md#roles-list).
      * `members`: List of [subjects](../../iam/concepts/access-control/index.md#subject) the role is assigned to in `<subject_type>:<subject_ID>` format.


  1. Make sure the configuration files are correct.

      1. In the command line, navigate to the directory that contains the current Terraform configuration files defining the infrastructure.
      1. Run this command:
      
         ```bash
         terraform validate
         ```
      
         Terraform will show any errors found in your configuration files.

  1. Confirm updating the resources.

      1. Run this command to view the planned changes:
      
         ```bash
         terraform plan
         ```
      
         If you described the configuration correctly, the terminal will display a list of the resources to update and their parameters. This is a verification step that does not apply changes to your resources.
      
      1. If everything looks correct, apply the changes:
         1. Run this command:
      
            ```bash
            terraform apply
            ```
      
         1. Confirm updating the resources.
         1. Wait for the operation to complete.

      For more information, see [this Terraform provider guide](../../terraform/resources/mdb_sharded_postgresql_cluster_iam_binding.md).

- REST API {#api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

      ```bash
      export IAM_TOKEN="<IAM_token>"
      ```

  1. Assign the role for the folder:

      ```bash
      curl \
        --request POST \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "managed-spqr.viewer",
                        "subject": {
                          "id": "<service_account_ID>",
                          "type": "serviceAccount"
                        }
                      }
                    }
                  ]
                }'
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Call the [Cluster.UpdateAccessBindings](../api-ref/Cluster/updateAccessBindings.md) method, e.g., via the following [cURL](https://curl.se/) request:

      ```bash
      curl \
        --request PATCH \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>:updateAccessBindings' \
        --data '{
                  "access_binding_deltas": [
                    {
                      "action": "ADD",
                      "access_binding": {
                        "role_id": "managed-spqr.editor",
                        "subject": {
                          "id": "<service_account_ID>",
                          "type": "serviceAccount"
                        }
                      }
                    }
                  ]
                }'
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Check the list of roles assigned for the folder:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://resource-manager.api.cloud.yandex.net/resource-manager/v1/folders/<folder_ID>:listAccessBindings'
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      curl \
        --request GET \
        --header "Authorization: Bearer $IAM_TOKEN" \
        --header "Content-Type: application/json" \
        --url 'https://mdb.api.cloud.yandex.net/managed-spqr/v1/clusters/<cluster_ID>:listAccessBindings'
      ```

- gRPC API {#grpc-api}

  1. [Get an IAM token for API authentication](../api-ref/authentication.md) and put it into an environment variable:

     ```bash
     export IAM_TOKEN="<IAM_token>"
     ```

  1. Clone the [cloudapi](https://github.com/yandex-cloud/cloudapi) repository:
     
     ```bash
     cd ~/ && git clone --depth=1 https://github.com/yandex-cloud/cloudapi
     ```
     
     Below, we assume that the repository contents reside in the `~/cloudapi/` directory.
  1. Assign the role for the folder:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<folder_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "managed-spqr.viewer",
                    "subject": {
                      "id": "<service_account_ID>",
                      "type": "serviceAccount"
                    }
                  }
                }
              ]
            }' \
        resource-manager.api.cloud.yandex.net:443 \
        yandex.cloud.resourcemanager.v1.FolderService.UpdateAccessBindings
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Assign the role for the cluster:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>",
              "access_binding_deltas": [
                {
                  "action": "ADD",
                  "access_binding": {
                    "role_id": "managed-spqr.editor",
                    "subject": {
                      "id": "<service_account_ID>",
                      "type": "serviceAccount"
                    }
                  }
                }
              ]
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.spqr.v1.ClusterService.UpdateAccessBindings
      ```

      `access_binding_deltas.subject.id`: ID of the service account the role is assigned to.

  1. Check the list of roles assigned for the folder:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/resourcemanager/v1/folder_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<folder_ID>"
            }' \
        resource-manager.api.cloud.yandex.net:443 \
        yandex.cloud.resourcemanager.v1.FolderService.ListAccessBindings
      ```

  1. Check the list of roles assigned for the cluster:

      ```bash
      grpcurl \
        -format json \
        -import-path ~/cloudapi/ \
        -import-path ~/cloudapi/third_party/googleapis/ \
        -proto ~/cloudapi/yandex/cloud/mdb/spqr/v1/cluster_service.proto \
        -rpc-header "Authorization: Bearer $IAM_TOKEN" \
        -d '{
              "resource_id": "<cluster_ID>"
            }' \
        mdb.api.cloud.yandex.net:443 \
        yandex.cloud.mdb.spqr.v1.ClusterService.ListAccessBindings
      ```

{% endlist %}