ydb/public/api/client/yc_private

21 files changed, 992 insertions, 0 deletions

diff --git a/ydb/public/api/client/CMakeLists.txt b/ydb/public/api/client/CMakeLists.txt
index 8aae0f5e9d7..7ab3660dae6 100644
--- a/ydb/public/api/client/CMakeLists.txt
+++ b/ydb/public/api/client/CMakeLists.txt
@@ -6,4 +6,5 @@
 # original buildsystem will not be accepted.
 
 
+add_subdirectory(yc_private)
 add_subdirectory(yc_public)
diff --git a/ydb/public/api/client/yc_private/CMakeLists.txt b/ydb/public/api/client/yc_private/CMakeLists.txt
new file mode 100644
index 00000000000..141f8a5cb21
--- /dev/null
+++ b/ydb/public/api/client/yc_private/CMakeLists.txt
@@ -0,0 +1,12 @@
+
+# This file was gererated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+add_subdirectory(iam)
+add_subdirectory(operation)
+add_subdirectory(resourcemanager)
+add_subdirectory(servicecontrol)
diff --git a/ydb/public/api/client/yc_private/iam/CMakeLists.txt b/ydb/public/api/client/yc_private/iam/CMakeLists.txt
new file mode 100644
index 00000000000..f0d86ee847d
--- /dev/null
+++ b/ydb/public/api/client/yc_private/iam/CMakeLists.txt
@@ -0,0 +1,51 @@
+
+# This file was gererated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(client-yc_private-iam)
+set_property(TARGET client-yc_private-iam PROPERTY
+  PROTOC_EXTRA_OUTS .grpc.pb.cc .grpc.pb.h
+)
+target_link_libraries(client-yc_private-iam PUBLIC
+  contrib-libs-cxxsupp
+  yutil
+  contrib-libs-grpc
+  contrib-libs-googleapis-common-protos
+  client-yc_private-operation
+  contrib-libs-protobuf
+)
+target_proto_messages(client-yc_private-iam PRIVATE
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/iam/iam_token_service_subject.proto
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/iam/iam_token_service.proto
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/iam/iam_token.proto
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/iam/oauth_request.proto
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/iam/reference.proto
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/iam/service_account_service.proto
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/iam/service_account.proto
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/iam/user_account_service.proto
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/iam/user_account.proto
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/iam/yandex_passport_cookie.proto
+)
+target_proto_addincls(client-yc_private-iam
+  ./
+  ${CMAKE_SOURCE_DIR}/
+  ${CMAKE_BINARY_DIR}
+  ${CMAKE_SOURCE_DIR}
+  ${CMAKE_SOURCE_DIR}/contrib/libs/googleapis-common-protos
+  ${CMAKE_SOURCE_DIR}/contrib/libs/protobuf/src
+  ${CMAKE_BINARY_DIR}
+  ${CMAKE_SOURCE_DIR}/contrib/libs/protobuf/src
+)
+target_proto_outs(client-yc_private-iam
+  --cpp_out=${CMAKE_BINARY_DIR}/
+  --cpp_styleguide_out=${CMAKE_BINARY_DIR}/
+)
+target_proto_plugin(client-yc_private-iam
+  grpc_cpp
+  grpc_cpp
+)
diff --git a/ydb/public/api/client/yc_private/iam/iam_token.proto b/ydb/public/api/client/yc_private/iam/iam_token.proto
new file mode 100644
index 00000000000..3d7f41f6eb8
--- /dev/null
+++ b/ydb/public/api/client/yc_private/iam/iam_token.proto
@@ -0,0 +1,10 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.iam.v1;
+
+import "google/protobuf/timestamp.proto";
+
+message IamToken {
+  string iam_token = 1;
+  google.protobuf.Timestamp expires_at = 2;
+}
diff --git a/ydb/public/api/client/yc_private/iam/iam_token_service.proto b/ydb/public/api/client/yc_private/iam/iam_token_service.proto
new file mode 100644
index 00000000000..74c03d778b7
--- /dev/null
+++ b/ydb/public/api/client/yc_private/iam/iam_token_service.proto
@@ -0,0 +1,63 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.iam.v1;
+
+import "google/api/annotations.proto";
+import "google/protobuf/timestamp.proto";
+import "ydb/public/api/client/yc_private/iam/iam_token_service_subject.proto";
+import "ydb/public/api/client/yc_private/iam/yandex_passport_cookie.proto";
+import "ydb/public/api/client/yc_private/iam/oauth_request.proto";
+
+service IamTokenService {
+
+  // method doesn't require auth
+  rpc Create (CreateIamTokenRequest) returns (CreateIamTokenResponse) {
+    option (google.api.http) = { post: "/iam/v1/tokens" body: "*" };
+  }
+
+  // create iam token for service account
+  rpc CreateForServiceAccount (CreateIamTokenForServiceAccountRequest) returns (CreateIamTokenResponse);
+
+  // create iam token for compute instance
+  rpc CreateForComputeInstance (CreateIamTokenForComputeInstanceRequest) returns (CreateIamTokenResponse);
+
+  // create iam token for oauth request
+  rpc CreateForUserAccount (CreateIamTokenForSubjectRequest) returns (CreateIamTokenResponse) {
+    option deprecated = true;
+  }
+
+  // create iam token for oauth request
+  rpc CreateForSubject (CreateIamTokenForSubjectRequest) returns (CreateIamTokenResponse);
+}
+
+message CreateIamTokenRequest {
+  oneof identity {
+    string yandex_passport_oauth_token = 1;
+    string jwt = 2;
+    string iam_cookie = 3;
+    YandexPassportCookies yandex_passport_cookies = 4;
+  }
+}
+
+message CreateIamTokenForSubjectRequest {
+  string subject_id = 1;
+  oauth.v1.OAuthRequest oauth_request = 2;
+  // additional parameters for cross-domain authentication
+  string session_id = 3;
+}
+
+message CreateIamTokenForServiceAccountRequest {
+  string service_account_id = 1;
+}
+
+message CreateIamTokenForComputeInstanceRequest {
+  string service_account_id = 1;
+  string instance_id = 2;
+}
+
+message CreateIamTokenResponse {
+  string iam_token = 1;
+  google.protobuf.Timestamp issued_at = 4;
+  google.protobuf.Timestamp expires_at = 2;
+  ts.Subject subject = 3;
+}
diff --git a/ydb/public/api/client/yc_private/iam/iam_token_service_subject.proto b/ydb/public/api/client/yc_private/iam/iam_token_service_subject.proto
new file mode 100644
index 00000000000..d057081460f
--- /dev/null
+++ b/ydb/public/api/client/yc_private/iam/iam_token_service_subject.proto
@@ -0,0 +1,18 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.iam.v1.ts;
+
+message Subject {
+  oneof type {
+    UserAccount user_account = 1;
+    ServiceAccount service_account = 2;
+  }
+
+  message UserAccount {
+    string id = 1;
+  }
+
+  message ServiceAccount {
+    string id = 1;
+  }
+}
diff --git a/ydb/public/api/client/yc_private/iam/oauth_request.proto b/ydb/public/api/client/yc_private/iam/oauth_request.proto
new file mode 100644
index 00000000000..cfaaec65b3f
--- /dev/null
+++ b/ydb/public/api/client/yc_private/iam/oauth_request.proto
@@ -0,0 +1,12 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.oauth.v1;
+
+option java_outer_classname = "OAuthModel";
+
+// OAuth request
+message OAuthRequest {
+  // client_id
+  string client_id = 1;
+  repeated string scopes = 3;
+}
diff --git a/ydb/public/api/client/yc_private/iam/reference.proto b/ydb/public/api/client/yc_private/iam/reference.proto
new file mode 100644
index 00000000000..5cf61ed031c
--- /dev/null
+++ b/ydb/public/api/client/yc_private/iam/reference.proto
@@ -0,0 +1,23 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.reference;
+
+message Reference {
+  enum Type {
+    TYPE_UNSPECIFIED = 0;
+    MANAGED_BY = 1;
+    USED_BY = 2;
+  }
+  Referrer referrer = 1;
+  Type type = 2;
+}
+
+message Referrer {
+  // * `type = compute.instance, id = <instance id>`
+  // * `type = compute.instanceGroup, id = <instanceGroup id>`
+  // * `type = loadbalancer.networkLoadBalancer, id = <networkLoadBalancer id>`
+  // * `type = managed-kubernetes.cluster, id = <cluster id>`
+  // * `type = managed-mysql.cluster, id = <cluster id>`
+  string type = 1;
+  string id = 2;
+}
diff --git a/ydb/public/api/client/yc_private/iam/service_account.proto b/ydb/public/api/client/yc_private/iam/service_account.proto
new file mode 100644
index 00000000000..3b2f7c39768
--- /dev/null
+++ b/ydb/public/api/client/yc_private/iam/service_account.proto
@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.iam.v1;
+
+import "google/protobuf/timestamp.proto";
+
+message ServiceAccount {
+
+  string id = 1;
+  string folder_id = 2;
+
+  google.protobuf.Timestamp created_at = 3;
+
+  string name = 4;
+  string description = 5;
+  map<string, string> labels = 6;
+}
diff --git a/ydb/public/api/client/yc_private/iam/service_account_service.proto b/ydb/public/api/client/yc_private/iam/service_account_service.proto
new file mode 100644
index 00000000000..5b54113b4ec
--- /dev/null
+++ b/ydb/public/api/client/yc_private/iam/service_account_service.proto
@@ -0,0 +1,138 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.iam.v1;
+
+import "google/api/annotations.proto";
+import "google/protobuf/field_mask.proto";
+import "ydb/public/api/client/yc_private/iam/iam_token.proto";
+import "ydb/public/api/client/yc_private/iam/service_account.proto";
+//import "ydb/public/api/client/yc_private/access/access.proto";
+import "ydb/public/api/client/yc_private/operation/operation.proto";
+import "ydb/public/api/client/yc_private/iam/reference.proto";
+
+service ServiceAccountService {
+  rpc Get (GetServiceAccountRequest) returns (ServiceAccount) {
+    option (google.api.http) = { get: "/iam/v1/serviceAccounts/{service_account_id}" };
+  }
+
+  rpc List (ListServiceAccountsRequest) returns (ListServiceAccountsResponse) {
+    option (google.api.http) = { get: "/iam/v1/serviceAccounts" };
+  }
+
+  rpc Create (CreateServiceAccountRequest) returns (ydb.yc.priv.operation.Operation) {
+    option (google.api.http) = { post: "/iam/v1/serviceAccounts" body: "*" };
+  }
+
+  rpc Update (UpdateServiceAccountRequest) returns (ydb.yc.priv.operation.Operation) {
+    option (google.api.http) = { patch: "/iam/v1/serviceAccounts/{service_account_id}" body: "*" };
+  }
+
+  rpc Delete (DeleteServiceAccountRequest) returns (ydb.yc.priv.operation.Operation) {
+    option (google.api.http) = { delete: "/iam/v1/serviceAccounts/{service_account_id}" };
+  }
+
+  //access
+
+  rpc ListOperations (ListServiceAccountOperationsRequest) returns (ListServiceAccountOperationsResponse) {
+    option (google.api.http) = { get: "/iam/v1/serviceAccounts/{service_account_id}/operations" };
+  }
+
+  rpc IssueToken (IssueTokenRequest) returns (IamToken) {
+    option (google.api.http) = { post: "/iam/v1/serviceAccounts/{service_account_id}:issueToken" body: "*" };
+  }
+
+  rpc ListReferences (ListServiceAccountReferencesRequest) returns (ListServiceAccountReferencesResponse);
+
+  rpc UpdateReferences (UpdateServiceAccountReferencesRequest) returns (ydb.yc.priv.operation.Operation);
+}
+
+message GetServiceAccountRequest {
+  string service_account_id = 1;
+}
+
+message ListServiceAccountsRequest {
+  string folder_id = 1;
+  int64 page_size = 2;
+  string page_token = 3;
+  string filter = 4;
+}
+
+message ListServiceAccountsResponse {
+  repeated ServiceAccount service_accounts = 1;
+  string next_page_token = 2;
+}
+
+message CreateServiceAccountRequest {
+  string folder_id = 1;
+  string name = 2;
+  string description = 3;
+  string id = 4;
+  map<string, string> labels = 5;
+
+  repeated reference.Reference references = 100;
+}
+
+message CreateServiceAccountMetadata {
+  string service_account_id = 1;
+}
+
+message UpdateServiceAccountRequest {
+  string service_account_id = 1;
+  google.protobuf.FieldMask update_mask = 2;
+
+  string name = 3;
+  string description = 4;
+  map<string, string> labels = 5;
+}
+
+message UpdateServiceAccountMetadata {
+  string service_account_id = 1;
+}
+
+message DeleteServiceAccountRequest {
+  string service_account_id = 1;
+}
+
+message DeleteServiceAccountMetadata {
+  string service_account_id = 1;
+}
+
+message ListServiceAccountOperationsRequest {
+  string service_account_id = 1;
+  int64 page_size = 2;
+  string page_token = 3;
+}
+
+message ListServiceAccountOperationsResponse {
+  repeated ydb.yc.priv.operation.Operation operations = 1;
+  string next_page_token = 2;
+}
+
+message IssueTokenRequest {
+  string service_account_id = 1;
+  string instance_id = 2;
+}
+
+message ListServiceAccountReferencesRequest {
+  string service_account_id = 1;
+  int64 page_size = 2;
+  string page_token = 3;
+}
+
+message ListServiceAccountReferencesResponse {
+  repeated reference.Reference references = 1;
+  string next_page_token = 2;
+}
+
+message UpdateServiceAccountReferencesRequest {
+  string service_account_id = 1;
+  repeated reference.Reference reference_additions = 2;
+  repeated reference.Reference reference_deletions = 3;
+}
+
+message UpdateServiceAccountReferencesResponse {
+}
+
+message UpdateServiceAccountReferencesMetadata {
+  string service_account_id = 1;
+}
diff --git a/ydb/public/api/client/yc_private/iam/user_account.proto b/ydb/public/api/client/yc_private/iam/user_account.proto
new file mode 100644
index 00000000000..2c3f54be313
--- /dev/null
+++ b/ydb/public/api/client/yc_private/iam/user_account.proto
@@ -0,0 +1,40 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.iam.v1;
+
+message UserAccount {
+  string id = 1;
+  oneof user_account {
+    YandexPassportUserAccount yandex_passport_user_account = 2;
+    SamlUserAccount saml_user_account = 3;
+    OAuthUserAccount oauth_user_account = 4;
+  }
+}
+
+message YandexPassportUserAccount {
+  string login = 1;
+  string default_email = 2;
+}
+
+// A SAML federated user.
+// For more information, see [federations](/docs/iam/concepts/users/saml-federations).
+message SamlUserAccount {
+    message Attribute {
+        repeated string value = 1;
+    }
+    // ID of the federation that the user belongs to.
+    string federation_id = 1;
+    // Name Id of the SAML federated user.
+    // The name is unique within the federation. 1-256 characters long.
+    string name_id = 2;
+    // Additional attributes of the SAML federated user.
+    map <string, Attribute> attributes = 3;
+}
+
+// A OAuth federated user.
+message OAuthUserAccount {
+  // ID of the federation that the user belongs to.
+  string federation_id = 1;
+  // Federated user claims.
+  map <string, string> claims = 2;
+}
diff --git a/ydb/public/api/client/yc_private/iam/user_account_service.proto b/ydb/public/api/client/yc_private/iam/user_account_service.proto
new file mode 100644
index 00000000000..e817a0ab9a5
--- /dev/null
+++ b/ydb/public/api/client/yc_private/iam/user_account_service.proto
@@ -0,0 +1,95 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.iam.v1;
+
+import "google/api/annotations.proto";
+import "google/protobuf/timestamp.proto";
+import "ydb/public/api/client/yc_private/operation/operation.proto";
+import "ydb/public/api/client/yc_private/iam/user_account.proto";
+
+service UserAccountService {
+  rpc Get (GetUserAccountRequest) returns (UserAccount) {
+    option (google.api.http) = { get: "/iam/v1/userAccounts/{user_account_id}" };
+  }
+
+  rpc Delete (DeleteUserAccountRequest) returns (ydb.yc.priv.operation.Operation);
+
+  rpc GetSettings (GetSettingsRequest) returns (UserSettings);
+
+  rpc UpdateSettings (UpdateSettingsRequest) returns (UserSettings);
+
+  rpc PresignUrl(PresignUrlRequest) returns (PresignUrlResponse);
+}
+
+message GetUserAccountRequest {
+  string user_account_id = 1;
+}
+
+message DeleteUserAccountRequest {
+  string subject_id = 1;
+}
+
+message DeleteUserAccountMetadata {
+  string subject_id = 1;
+}
+
+message GetSettingsRequest {
+  // Empty list means full settings.
+  repeated string response_json_path = 1;
+  // Optional - get specified subject user settings. By default equals to authenticated subject.
+  string subject_id = 2;
+}
+
+message UserSettings {
+  // JSON-serialized user-settings.
+  string json = 1;
+}
+
+message UpdateSettingsRequest {
+  // Empty list means full settings.
+  repeated string response_json_path = 1;
+  // Serialized JSON Patch (https://tools.ietf.org/html/rfc6902).
+  string json_patch = 2;
+  // Optional - update specified subject user settings. By default equals to authenticated subject.
+  string subject_id = 3;
+}
+
+message PresignUrlRequest {
+  string subject_id = 1;
+  // The formatted string to sign, see https://docs.aws.amazon.com/general/latest/gr/sigv4-create-string-to-sign.html
+  repeated string strings_to_sign = 2;
+
+  oneof parameters {
+    Version2Parameters v2_parameters = 4;
+    Version4Parameters v4_parameters = 5;
+  }
+
+  // https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html
+  message Version2Parameters {
+    SignatureMethod signature_method = 1;
+
+    enum SignatureMethod {
+      SIGNATURE_METHOD_UNSPECIFIED = 0;
+      HMAC_SHA1 = 1;
+      HMAC_SHA256 = 2;
+    }
+  }
+
+  // https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
+  message Version4Parameters {
+    google.protobuf.Timestamp signed_at = 1;
+    string service = 2;
+    string region = 3;
+  }
+
+}
+
+message PresignUrlResponse {
+  string access_key_id = 1;
+  repeated SignedString signed_strings = 2;
+}
+
+message SignedString {
+  string string_to_sign = 1;
+  string signature = 2;
+}
diff --git a/ydb/public/api/client/yc_private/iam/yandex_passport_cookie.proto b/ydb/public/api/client/yc_private/iam/yandex_passport_cookie.proto
new file mode 100644
index 00000000000..5f6e2110179
--- /dev/null
+++ b/ydb/public/api/client/yc_private/iam/yandex_passport_cookie.proto
@@ -0,0 +1,9 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.iam.v1;
+
+message YandexPassportCookies {
+  string session_id = 1;
+  string ssl_session_id = 2;
+  string host = 3;
+}
diff --git a/ydb/public/api/client/yc_private/operation/CMakeLists.txt b/ydb/public/api/client/yc_private/operation/CMakeLists.txt
new file mode 100644
index 00000000000..e528cdf4d52
--- /dev/null
+++ b/ydb/public/api/client/yc_private/operation/CMakeLists.txt
@@ -0,0 +1,41 @@
+
+# This file was gererated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(client-yc_private-operation)
+set_property(TARGET client-yc_private-operation PROPERTY
+  PROTOC_EXTRA_OUTS .grpc.pb.cc .grpc.pb.h
+)
+target_link_libraries(client-yc_private-operation PUBLIC
+  contrib-libs-cxxsupp
+  yutil
+  contrib-libs-grpc
+  contrib-libs-googleapis-common-protos
+  contrib-libs-protobuf
+)
+target_proto_messages(client-yc_private-operation PRIVATE
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/operation/operation.proto
+)
+target_proto_addincls(client-yc_private-operation
+  ./
+  ${CMAKE_SOURCE_DIR}/
+  ${CMAKE_BINARY_DIR}
+  ${CMAKE_SOURCE_DIR}
+  ${CMAKE_SOURCE_DIR}/contrib/libs/googleapis-common-protos
+  ${CMAKE_SOURCE_DIR}/contrib/libs/protobuf/src
+  ${CMAKE_BINARY_DIR}
+  ${CMAKE_SOURCE_DIR}/contrib/libs/protobuf/src
+)
+target_proto_outs(client-yc_private-operation
+  --cpp_out=${CMAKE_BINARY_DIR}/
+  --cpp_styleguide_out=${CMAKE_BINARY_DIR}/
+)
+target_proto_plugin(client-yc_private-operation
+  grpc_cpp
+  grpc_cpp
+)
diff --git a/ydb/public/api/client/yc_private/operation/operation.proto b/ydb/public/api/client/yc_private/operation/operation.proto
new file mode 100644
index 00000000000..ab6bb4d60a1
--- /dev/null
+++ b/ydb/public/api/client/yc_private/operation/operation.proto
@@ -0,0 +1,24 @@
+syntax = "proto3";
+
+package ydb.yc.priv.operation;
+
+import "google/protobuf/any.proto";
+import "google/rpc/status.proto";
+import "google/protobuf/timestamp.proto";
+
+message Operation {
+  string id = 1;
+  string description = 2; // ex: Create VM, Stop VM, Delete Disk, Snapshot Disk, etc
+  google.protobuf.Timestamp created_at = 3;
+  string created_by = 4;
+  google.protobuf.Timestamp modified_at = 5;
+
+  bool done = 6;
+
+  google.protobuf.Any metadata = 7;
+
+  oneof result {
+    google.rpc.Status error = 8; // for error and cancellation
+    google.protobuf.Any response = 9; // for 'Create/Update' should contain entity
+  }
+}
diff --git a/ydb/public/api/client/yc_private/resourcemanager/CMakeLists.txt b/ydb/public/api/client/yc_private/resourcemanager/CMakeLists.txt
new file mode 100644
index 00000000000..b6b43d38d2d
--- /dev/null
+++ b/ydb/public/api/client/yc_private/resourcemanager/CMakeLists.txt
@@ -0,0 +1,44 @@
+
+# This file was gererated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(client-yc_private-resourcemanager)
+set_property(TARGET client-yc_private-resourcemanager PROPERTY
+  PROTOC_EXTRA_OUTS .grpc.pb.cc .grpc.pb.h
+)
+target_link_libraries(client-yc_private-resourcemanager PUBLIC
+  contrib-libs-cxxsupp
+  yutil
+  contrib-libs-grpc
+  contrib-libs-googleapis-common-protos
+  client-yc_private-operation
+  client-yc_private-servicecontrol
+  contrib-libs-protobuf
+)
+target_proto_messages(client-yc_private-resourcemanager PRIVATE
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/resourcemanager/folder_service.proto
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/resourcemanager/folder.proto
+)
+target_proto_addincls(client-yc_private-resourcemanager
+  ./
+  ${CMAKE_SOURCE_DIR}/
+  ${CMAKE_BINARY_DIR}
+  ${CMAKE_SOURCE_DIR}
+  ${CMAKE_SOURCE_DIR}/contrib/libs/googleapis-common-protos
+  ${CMAKE_SOURCE_DIR}/contrib/libs/protobuf/src
+  ${CMAKE_BINARY_DIR}
+  ${CMAKE_SOURCE_DIR}/contrib/libs/protobuf/src
+)
+target_proto_outs(client-yc_private-resourcemanager
+  --cpp_out=${CMAKE_BINARY_DIR}/
+  --cpp_styleguide_out=${CMAKE_BINARY_DIR}/
+)
+target_proto_plugin(client-yc_private-resourcemanager
+  grpc_cpp
+  grpc_cpp
+)
diff --git a/ydb/public/api/client/yc_private/resourcemanager/folder.proto b/ydb/public/api/client/yc_private/resourcemanager/folder.proto
new file mode 100644
index 00000000000..02eca124c93
--- /dev/null
+++ b/ydb/public/api/client/yc_private/resourcemanager/folder.proto
@@ -0,0 +1,34 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.resourcemanager.v1;
+
+import "google/protobuf/timestamp.proto";
+import "ydb/public/api/client/yc_private/servicecontrol/resource.proto";
+
+message Folder {
+
+  enum Status {
+    STATUS_UNSPECIFIED = 0;
+    ACTIVE = 1;
+    DELETING = 2;
+    reserved "DELETED"; reserved 3;
+    PENDING_DELETION = 4;
+  }
+
+  string id = 1;
+  string cloud_id = 2;
+
+  google.protobuf.Timestamp created_at = 3;
+  string name = 4;
+  string description = 5;
+  map<string, string> labels = 6;
+
+  Status status = 7;
+}
+
+message ResolvedFolder {
+  string id = 1;
+  repeated servicecontrol.v1.Resource resource_path = 2;
+  string cloud_id = 3;
+  string organization_id = 4;
+}
diff --git a/ydb/public/api/client/yc_private/resourcemanager/folder_service.proto b/ydb/public/api/client/yc_private/resourcemanager/folder_service.proto
new file mode 100644
index 00000000000..eda82e1ea16
--- /dev/null
+++ b/ydb/public/api/client/yc_private/resourcemanager/folder_service.proto
@@ -0,0 +1,61 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.resourcemanager.v1.transitional;
+
+import "google/api/annotations.proto";
+import "ydb/public/api/client/yc_private/operation/operation.proto";
+import "ydb/public/api/client/yc_private/resourcemanager/folder.proto";
+
+service FolderService {
+  // TODO no pagination
+  rpc List (ListFoldersRequest) returns (ListFoldersResponse) {
+    option (google.api.http) = { get: "/yrm/v1/folders" };
+  }
+
+  rpc GetStatus (GetFolderStatusRequest) returns (GetFolderStatusResponse) {
+    option (google.api.http) = { get: "/yrm/v1/folder/{folder_id}/status" };
+  }
+
+  rpc SetStatus (SetFolderStatusRequest) returns (SetFolderStatusResponse) {
+    option (google.api.http) = { post: "/yrm/v1/folder/{folder_id}/status" body: "*" };
+  }
+
+  rpc Delete (DeleteFolderRequest) returns (ydb.yc.priv.operation.Operation) {
+    option (google.api.http) = { delete: "/yrm/v1/folders/{folder_id}" };
+  }
+}
+
+message ListFoldersRequest {
+  string id = 1; // TODO repeated ids
+  string name = 2;
+  string cloud_id = 3;
+}
+
+message ListFoldersResponse {
+  repeated yandex.cloud.priv.resourcemanager.v1.Folder result = 1;
+}
+
+message GetFolderStatusRequest {
+  string folder_id = 1;
+}
+
+message GetFolderStatusResponse {
+  string status = 1;
+}
+
+message SetFolderStatusRequest {
+  string folder_id = 1;
+  string status = 2;
+}
+
+message SetFolderStatusResponse {
+  string result = 1;
+}
+
+message DeleteFolderRequest {
+  string folder_id = 1;
+}
+
+message DeleteFolderMetadata {
+  string folder_id = 1;
+}
diff --git a/ydb/public/api/client/yc_private/servicecontrol/CMakeLists.txt b/ydb/public/api/client/yc_private/servicecontrol/CMakeLists.txt
new file mode 100644
index 00000000000..f3d6fe2ae48
--- /dev/null
+++ b/ydb/public/api/client/yc_private/servicecontrol/CMakeLists.txt
@@ -0,0 +1,42 @@
+
+# This file was gererated by the build system used internally in the Yandex monorepo.
+# Only simple modifications are allowed (adding source-files to targets, adding simple properties
+# like target_include_directories). These modifications will be ported to original
+# ya.make files by maintainers. Any complex modifications which can't be ported back to the
+# original buildsystem will not be accepted.
+
+
+
+add_library(client-yc_private-servicecontrol)
+set_property(TARGET client-yc_private-servicecontrol PROPERTY
+  PROTOC_EXTRA_OUTS .grpc.pb.cc .grpc.pb.h
+)
+target_link_libraries(client-yc_private-servicecontrol PUBLIC
+  contrib-libs-cxxsupp
+  yutil
+  contrib-libs-grpc
+  contrib-libs-googleapis-common-protos
+  contrib-libs-protobuf
+)
+target_proto_messages(client-yc_private-servicecontrol PRIVATE
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/servicecontrol/access_service.proto
+  ${CMAKE_SOURCE_DIR}/ydb/public/api/client/yc_private/servicecontrol/resource.proto
+)
+target_proto_addincls(client-yc_private-servicecontrol
+  ./
+  ${CMAKE_SOURCE_DIR}/
+  ${CMAKE_BINARY_DIR}
+  ${CMAKE_SOURCE_DIR}
+  ${CMAKE_SOURCE_DIR}/contrib/libs/googleapis-common-protos
+  ${CMAKE_SOURCE_DIR}/contrib/libs/protobuf/src
+  ${CMAKE_BINARY_DIR}
+  ${CMAKE_SOURCE_DIR}/contrib/libs/protobuf/src
+)
+target_proto_outs(client-yc_private-servicecontrol
+  --cpp_out=${CMAKE_BINARY_DIR}/
+  --cpp_styleguide_out=${CMAKE_BINARY_DIR}/
+)
+target_proto_plugin(client-yc_private-servicecontrol
+  grpc_cpp
+  grpc_cpp
+)
diff --git a/ydb/public/api/client/yc_private/servicecontrol/access_service.proto b/ydb/public/api/client/yc_private/servicecontrol/access_service.proto
new file mode 100644
index 00000000000..edd8855fa29
--- /dev/null
+++ b/ydb/public/api/client/yc_private/servicecontrol/access_service.proto
@@ -0,0 +1,243 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.servicecontrol.v1;
+
+import "google/protobuf/timestamp.proto";
+import "google/protobuf/any.proto";
+import "google/protobuf/field_mask.proto";
+import "ydb/public/api/client/yc_private/servicecontrol/resource.proto";
+
+service AccessService {
+  // Verify the identity of a subject.
+  //
+  // gRPC error codes
+  //
+  // Ok:              the provided credentials are valid
+  // Unauthenticated: the provided credentials are invalid or may have expired
+  // InvalidArgument: the client specified an invalid argument (please note that this applies to the request in itself,
+  //                  not to the content of the request, i.e. you will get the InvalidArgument error if the message
+  //                  size exceeds the server limit but Unauthenticated if the token format is not recognized)
+  // Unavailable:     the service is currently unavailable, the client should retry again
+  // Internal:        the service is broken
+  //
+  // Please note that these do not include client-side errors (e.g. Cancelled, DeadlineExceeded, etc.)
+  rpc Authenticate (AuthenticateRequest) returns (AuthenticateResponse);
+
+  // Check if a subject is allowed to perform an action. This also authenticates the subject if any credentials are
+  // passed as an identity.
+  //
+  // gRPC error codes
+  //
+  // Ok:               the provided credentials (if any) are valid and the subject has permissions to access the
+  //                   specified resource
+  // Unauthenticated:  the provided credentials are invalid or may have expired
+  // PermissionDenied: the subject does not have permissions to access the specified resource
+  // InvalidArgument:  the client specified an invalid argument (please note that this applies to the request in itself,
+  //                   not to the content of the request, i.e. you will get the InvalidArgument error if the message
+  //                   size exceeds the server limit or the specified permission does not exist but Unauthenticated if
+  //                   the token format is not recognized)
+  // Unavailable:      the service is currently unavailable, the client should retry again
+  // Internal:         the service is broken
+  //
+  // Please note that these do not include client-side errors (e.g. Cancelled, DeadlineExceeded, etc.)
+  rpc Authorize (AuthorizeRequest) returns (AuthorizeResponse);
+
+  // Similar to Authorize, but requests multiple actions for one subject.
+  //
+  // gRPC error codes will be the same, except for these cases:
+  // - An Unauthenticated error of BulkAuthorizeRequest.identity is returned in
+  //   BulkAuthorizeResponse.unauthenticated_error.
+  // - All PermissionDenied of BulkAuthorizeRequest.authorizations are returned in
+  //   BulkAuthorizeResponse.results.
+  //
+  // You can control the information returned in BulkAuthorizeResponse.results with:
+  // - result_filter : return all errors (ALL_FAILED) or only the first one (FIRST_FAILED), if any.
+  // - result_mask : You can choose the fields returned (all by default),
+  //     from the fields in BulkAuthorizeResponse.Result.
+  //
+  rpc BulkAuthorize (BulkAuthorizeRequest) returns (BulkAuthorizeResponse);
+}
+
+message AuthenticateRequest {
+  oneof credentials {
+
+    // IAM-token obtained from the IAM Token Service.
+    // The server response for an empty IAM token is UNAUTHENTICATED
+    string iam_token = 1;
+
+    // AWS-compatible signature.
+    AccessKeySignature signature = 2;
+
+    // API key.
+    // The server response for an empty API key is UNAUTHENTICATED
+    string api_key = 3;
+
+    // IAM-cookie.
+    // The server response for an empty IAM cookie is UNAUTHENTICATED
+    string iam_cookie = 4;
+  }
+}
+
+message AuthenticateResponse {
+  Subject subject = 1;
+}
+
+message AuthorizeRequest {
+  oneof identity {
+
+    Subject subject = 1;
+
+    // IAM-token obtained from the IAM Token Service.
+    // The server response for an empty IAM token is UNAUTHENTICATED
+    string iam_token = 2;
+
+    // AWS-compatible signature.
+    AccessKeySignature signature = 3;
+
+    // API key.
+    // The server response for an empty API key is UNAUTHENTICATED
+    string api_key = 6;
+  }
+
+  string permission = 4;
+
+  // A resource to authorize access to. This may also include a service-specific hierarchy of the resource, usually
+  // ends with resource-manager.folder.
+  //
+  // Examples:
+  //     (resource-manager.folder, b1gn3enigctah04o0fkb)
+  //     (billing.account, b1gqql62454n46tboesn)
+  //     (compute.instance, b1gqqhvc4fg65mkrefs8), (resource-manager.folder, b1gn3enigctah04o0fkb)
+  //     (resource-manager.cloud, aje56o8prppkrpaiuoc6)
+  //     (my-service.instance, b1gqqepv0upu57issrog), (resource-manager.cloud, aje56o8prppkrpaiuoc6)
+  repeated Resource resource_path = 5;
+}
+
+message AuthorizeResponse {
+  Subject subject = 1;
+
+  // Full path to the resource.
+  repeated Resource resource_path = 2;
+}
+
+message BulkAuthorizeRequest {
+  oneof identity {
+
+    Subject subject = 1;
+
+    string iam_token = 2;
+
+    AccessKeySignature signature = 3;
+
+    string api_key = 4;
+  }
+
+  oneof authorizations {
+
+    Actions actions = 5;
+
+    ActionMatrix action_matrix = 6;
+  }
+
+  ResultFilter result_filter = 7;
+
+  google.protobuf.FieldMask result_mask = 8;
+
+  message Action {
+    repeated Resource resource_path = 1;
+
+    string permission = 2;
+  }
+
+  message Actions {
+    repeated Action items = 1;
+  }
+
+  // Cross product of paths and permissions (represents N*M actions, N*M <= 1000).
+  message ActionMatrix {
+    repeated ResourcePath resource_paths = 2;
+
+    repeated string permissions = 1;
+  }
+
+  enum ResultFilter {
+    RESULT_FILTER_UNSPECIFIED = 0;
+    FIRST_FAILED = 1;
+    ALL_FAILED = 2;
+  }
+}
+
+message BulkAuthorizeResponse {
+  Subject subject = 1;
+
+  Error unauthenticated_error = 2;
+
+  Results results = 3;
+
+  message Results {
+    repeated Result items = 1;
+  }
+
+  message Result {
+    string permission = 1;
+
+    repeated Resource resource_path = 2;
+
+    Error permission_denied_error = 3;
+  }
+
+  message Error {
+    string message = 1;
+
+    repeated google.protobuf.Any details = 2;
+  }
+}
+
+message AccessKeySignature {
+  string access_key_id = 1;
+  string string_to_sign = 2;
+  string signature = 3;
+
+  oneof parameters {
+    Version2Parameters v2_parameters = 4;
+    Version4Parameters v4_parameters = 5;
+  }
+
+  message Version2Parameters {
+    SignatureMethod signature_method = 1;
+
+    enum SignatureMethod {
+      SIGNATURE_METHOD_UNSPECIFIED = 0;
+      HMAC_SHA1 = 1;
+      HMAC_SHA256 = 2;
+    }
+  }
+
+  message Version4Parameters {
+    google.protobuf.Timestamp signed_at = 1;
+    string service = 2;
+    string region = 3;
+  }
+}
+
+message Subject {
+  oneof type {
+    UserAccount user_account = 1;
+    ServiceAccount service_account = 2;
+    AnonymousAccount anonymous_account = 3;
+  }
+
+  message UserAccount {
+    string id = 1;
+    string federation_id = 2;
+  }
+
+  message ServiceAccount {
+    string id = 1;
+    string folder_id = 2;
+  }
+
+  // Use this if you want to check if an unauthenticated subject is allowed to access a resource.
+  message AnonymousAccount {
+  }
+}
diff --git a/ydb/public/api/client/yc_private/servicecontrol/resource.proto b/ydb/public/api/client/yc_private/servicecontrol/resource.proto
new file mode 100644
index 00000000000..89ffbb72d94
--- /dev/null
+++ b/ydb/public/api/client/yc_private/servicecontrol/resource.proto
@@ -0,0 +1,14 @@
+syntax = "proto3";
+
+package yandex.cloud.priv.servicecontrol.v1;
+
+message Resource {
+  string id = 1;
+
+  // The type of the resource, e.g. resource-manager.folder, billing.account, compute.snapshot, etc.
+  string type = 2;
+}
+
+message ResourcePath {
+  repeated Resource path = 1;
+}