Contact usConsole
© 2023 Nebius Israel Ltd
Container Registry

Assigning a role for a resource

To provide access to a resource, assign a user a role to the resource itself or a resource from which access privileges are inherited, such as a folder or a cloud. For more information, see How access management works in Nebius Israel.

  1. In the management console, select the folder where you wish to assign a role for a resource.
  2. In the list of services, select Container Registry.
  3. Assign a role for the resource.
    • Assigning roles for a registry:
      1. To the right of the desired registry name, click and select Registry ACL.
      2. In the resulting window, select a group, a user, or a service account and click Add.
      3. In the Permissions drop-down list, select the desired roles.
      4. Click Save.
    • Assigning roles for a repository:
      1. Select the desired repository.
      2. To the right of the repository name, click and select Configure ACL.
      3. In the resulting window, select a group a user, or a service account and click Add.
      4. In the Permissions drop-down list, select the desired roles.
      5. Click Save.

If you don't have the Nebius Israel command line interface yet, install and initialize it.

The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name or --folder-id parameter.

  1. Choose a role from the list.

  2. Assign the role:

    • To add the role to the existing permissions, run the command:

      yc <service name> <resource> add-access-binding <resource name>|<resource id> \
  --role <role id> \
  --subject federatedAccount:<user id>

    • To add the role and delete all the existing permissions, run the command:

      yc <service name> <resource> set-access-bindings <resource name>|<resource id> \
  --role <role id> \
  --subject federatedAccount:<user id>

    Where:

    • <service name>: Name of a container service.
    • <resource>: Category of the resource (registry or repository).
    • <resource name>: Name of the resource that the role is assigned for. You can specify a resource by its name or ID.
    • <resource id>: ID of the resource that the role is assigned for.
    • <role id>: ID of the role.
    • <user id>: ID of the group, user, or service account that is assigned the role.

    Example. Add the role container-registry.admin for the registry with the ID crp0pmf1n68dh715tf02 to the user with the ID kolhpriseeioo9dc3v24:

    yc container registry add-access-binding crp0pmf1n68dh715tf02 \
  --role container-registry.admin \
  --subject federatedAccount:kolhpriseeioo9dc3v24

Use the method updateAccessBindings for the resources registry and repository.

If you don't have Terraform, install it and configure the provider Nebius Israel.

  1. Describe in a configuration file:

    • The parameters of the yandex_container_registry_iam_binding resource to assign a role to the registry:

      • registry_id: ID of the registry to which a role is being assigned. You can retrieve the registry ID from the folder registry list.
      • role: Role ID.
      • members: ID of the user, group, or service account the role is being assigned to.

      Example configuration file structure:

      resource "yandex_container_registry_iam_binding" "puller" {
  registry_id = "<registry id>"
  role        = "<role id>"

  members = [
    "federatedAccount:<user id>",
 ]
}

      For more information about the yandex_container_registry_iam_binding resource, see the provider documentation.

    • yandex_container_repository_iam_binding resource parameters to assign a role to a repository:

      • repository_id: ID of the repository to which a role is being assigned.
      • role: Role ID.
      • members: ID of the user, group, or service account the role is being assigned to.

      Example configuration file structure:

      resource "yandex_container_repository_iam_binding" "pusher" {
  repository_id = "<repository id>"
  role          = "<role id>"

  members = [
    "federatedAccount:<user id>",
 ]
}

      For more information about the yandex_container_repository_iam_binding resource, see the provider documentation.

  2. Run the check using the command:

    terraform plan

    The terminal will display a list of resources with parameters. This is a test step. No resources are created. If the configuration contain errors, Terraform will point them out.

    Alert

    You will be charged for all the resources created with Terraform. Check the plan carefully.

  3. Apply the configuration changes:

    terraform apply

  4. Confirm the resource change: enter yes in the terminal window and press Enter.

    You can check that the role has been assigned using the management console or the Nebius Israel CLI command:

    • Registry:

      yc container registry list-access-bindings <registry id>/<registry name>

    • Repository:

      yc container repository list-access-bindings <repository id>/<repository name>

Read more about role management in the Identity and Access Management documentation.