> ## Documentation Index
> Fetch the complete documentation index at: https://docs.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# How to add accounts to groups

To grant users and service accounts access to the tenant's resources, add them to one of the [groups](/iam/authorization/groups).

## Prerequisites

<Tabs>
  <Tab title="Web console">
    Make sure you are in a [group](/iam/authorization/groups/index) that has the `admin` role within your tenant; for example, the default `admins` group. You can check this in the [Administration → IAM](https://console.nebius.com/iam) section of the web console.
  </Tab>

  <Tab title="CLI">
    1. Make sure you are in a [group](/iam/authorization/groups/index) that has the `admin` role within your tenant; for example, the default `admins` group. You can check this in the [Administration → IAM](https://console.nebius.com/iam) section of the web console.

    2. [Install](../../../cli/install) and [configure](../../../cli/configure) the Nebius AI Cloud CLI.

    3. Check that your project ID is saved in the Nebius AI Cloud CLI profile configuration:
       ```bash theme={null}
       cat ~/.nebius/config.yaml
       ```

    4. Install the jq to extract IDs and tokens from JSON data returned by the Nebius AI Cloud CLI:

           <CodeGroup>
             ```bash Ubuntu theme={null}
             sudo apt-get install jq
             ```

             ```bash macOS theme={null}
             brew install jq
             ```
           </CodeGroup>

    5. In the [web console](https://console.nebius.com), go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM**.

    6. If the group was created in a tenant, [get the tenant ID](/iam/get-tenants#cli) and save it to an environment variable:

       ```bash theme={null}
       export TENANT_ID=<tenant_ID>
       ```

    7. If the group was created in a project, [get the project ID](/iam/manage-projects#cli-3) and save it to an environment variable:

       ```bash theme={null}
       export PROJECT_ID=<project_ID>
       ```

    8. Get the relevant group ID and save it to an environment variable:

       ```bash theme={null}
       export GROUP_ID=$(nebius iam group get-by-name \
         --name <group_name> \
         --parent-id <$TENANT_ID|$PROJECT_ID> \
         --format json \
         | jq -r ".metadata.id")
       ```
  </Tab>
</Tabs>

## Add a user account

<Tabs>
  <Tab title="Web console">
    To add a user to a group:

    1. In the sidebar, go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM**.
    2. On the **Groups** tab, click the group you want to add a user to.
    3. Click **Add members**.
    4. In the window that opens, find the user you want to add to the group and click <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/plus.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=7c9efc69d65fc58db0eb73702fd81aa1" width="16" height="16" data-path="_assets/plus.svg" /> **Add** next to their name.
  </Tab>

  <Tab title="CLI">
    To add a user to a group via the Nebius AI Cloud CLI, you must have their email address.

    1. Save a user email to an environment variable:

       ```bash theme={null}
       export USER_EMAIL=<user_email>
       ```

    2. Get the user account's ID and save it to an environment variable:

       ```bash theme={null}
       export USER_ID=$(nebius iam tenant-user-account-with-attributes list \
         --parent-id $TENANT_ID \
         --format json | jq -r --arg user_email "$USER_EMAIL" \
         '.items[] | select(.attributes.email == $user_email)
         | .tenant_user_account.metadata.id')
       ```

    3. To add the user account to the group, set up its membership:

       ```bash theme={null}
       nebius iam group-membership create \
         --parent-id $GROUP_ID \
         --member-id $USER_ID
       ```

    4. Check that the account has appeared in the group:

       ```bash theme={null}
       nebius iam group-membership list-members \
         --parent-id $GROUP_ID | grep "$USER_ID"
       ```
  </Tab>
</Tabs>

## Add a service account

<Tabs>
  <Tab title="Web console">
    To add a service account to a group:

    1. In the sidebar, go to <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/sidebar/administration.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=e6411dc023fd6972922c0a12a59ccf21" width="16" height="16" data-path="_assets/sidebar/administration.svg" /> **Administration** → **IAM**.
    2. On the **Groups** tab, click on the group you want to add a service account to.
    3. Click **Add members**.
    4. In the window that opens, switch to the **Service accounts** tab.
    5. Find the service account you want to add to the group and click <Icon icon="https://mintcdn.com/nebius-ai-cloud/1Ha0sWR6e1mnIaHS/_assets/plus.svg?fit=max&auto=format&n=1Ha0sWR6e1mnIaHS&q=85&s=7c9efc69d65fc58db0eb73702fd81aa1" width="16" height="16" data-path="_assets/plus.svg" /> **Add** next to its name.
  </Tab>

  <Tab title="CLI">
    To add a service account to a group via the Nebius AI Cloud CLI, you must have its name.

    1. Get the service account's ID and save it to an environment variable:

       ```bash theme={null}
       export SA_ID=$(nebius iam service-account get-by-name \
         --name <service_account_name> \
         --format json \
         | jq -r ".metadata.id")
       ```

    2. Set up the account membership in the group:

       ```bash theme={null}
       nebius iam group-membership create \
         --parent-id $GROUP_ID \
         --member-id $SA_ID
       ```

    3. Check that the account has appeared in the group:

       ```bash theme={null}
       nebius iam group-membership list-members \
         --parent-id $GROUP_ID | grep "$SA_ID"
       ```

    If you don't know the name of the service account:

    1. View all service accounts for your project:

       ```bash theme={null}
       nebius iam service-account list
       ```

    2. Get the service account's ID and save it to an environment variable. If the required service account does not appear as the first item in the previous command output, change the digit in `.items[0].metadata.id`:

       ```bash theme={null}
       export SA_ID=$(nebius iam service-account list \
         --format json \
         | jq -r ".items[0].metadata.id")
       ```

    3. Set up the account membership in the group:

       ```bash theme={null}
       nebius iam group-membership create \
         --parent-id $GROUP_ID \
         --member-id $SA_ID
       ```

    4. Check that the new account has appeared in the group:

       ```bash theme={null}
       nebius iam group-membership list-members \
         --parent-id $GROUP_ID | grep "$SA_ID"
       ```
  </Tab>
</Tabs>