Skip to main content

Key Concepts

KakaoCloud IAM uses Role Based Access Control (RBAC) to manage permissions for users, organizations, and projects through predefined roles.

Resource

Resource refers to computing assets like instances, storage, networks that can be created in a project, or services provided by KakaoCloud.

ItemDescription
OrganizationThe highest concept in the KakaoCloud hierarchy, where projects, users, etc., can be grouped into an abstracted space
Project    A higher unit owning service-level resources
- Must belong to a specific organization
- Resource quotas are set at the project level
- Users must acquire project roles to access resources
ServiceIndividual products provided by KakaoCloud
- All resources within a service are created and managed under a project
- e.g. VM, VPC, Object Storage, etc.

IAM level

IAM levels in KakaoCloud are divided into organization and project units.

   Category   Description
 Organization-level IAMIAM managing the organization
- Manages users, roles, groups, projects
- How to navigate to Organization-level IAM:
  -> KakaoCloud Console > IAM > Organization
 Project-level IAMIAM managed per project
- Manages project members and project roles
- How to navigate to Project-level IAM:
  -> KakaoCloud Console > IAM > Project

User

Users are account units that can log in to the KakaoCloud Console. A user can be a member of a specific project while also being a member of a group.

   Item   Description
 UserA unit of KakaoCloud account that can log into the console
- Accessible via both KakaoCloud Console and API
- Must be unique within the affiliated organization
 Project MemberA user with project roles (Project Admin, project member, Project Reader) within a specific project
- Must acquire project roles to access project resources
 Group MemberA user belonging to a specific group
- Group members gain roles according to group permissions
- Immediate revocation of group permissions upon deletion from the group or group deletion
- For more details, see Group below

Group

Groups are sets of users sharing certain roles. Group permissions can be easily managed by adding or removing IAM roles to group members in bulk. Adding group permissions grants the specified IAM role to group members, and deleting permissions immediately revokes the role. However, roles added directly to users remain unaffected.
For more detailed information on managing groups, see Manage user and group document.

Group Policy
  • Multiple users can be added to a group, and a user can belong to multiple groups.
  • Only users can be added to groups; service accounts cannot be added.
  • A group cannot include other groups.
  • If a group is deleted or a member is expelled, group permissions are immediately revoked.
  • Deleting a group or expelling a member immediately expires the group member's API authentication token. However, this does not apply if there are no separate group permissions assigned.

Service account

Service accounts are accounts created by users, not actual IAM user accounts, and can issue authentication tokens needed for calling KakaoCloud APIs. Project members use service account API authentication tokens to call APIs to access or control resources of KakaoCloud services.
The ID format for a service account is {user input}-project name@kc.serviceaccount.com. Service accounts belong to project-level IAM and automatically receive the project member role. Service accounts, unlike KakaoCloud user accounts, cannot log in to the console and are not listed in the organization's user list.
For detailed information on creating and managing service accounts, refer to Manage service account.

   Item   Description
 Service accountAn account that can issue authentication tokens required for KakaoCloud API calls
- Created by users, not actual IAM user accounts
- ID format: {user input}-project name@kc.serviceaccount.com

API authentication token

You can issue an API authentication token using the access key and security key created for the service account. For detailed information on managing access keys and security keys, see Manage service account.

Service account quota

Each project can create up to 100 service accounts, including inactive ones. Additionally, a maximum of 10 access keys can be added per service account. However, service accounts are exempt from this quota.

Service agent account

A service agent is automatically created when you use a specific KakaoCloud service. It is used to directly access resources in the background of the KakaoCloud service or to fulfill user requests. For example, when you add a node pool in the KakaoCloud Kubernetes Engine service, the Kubernetes Engine service agent account creates an instance of Virtual Machine. The ID format for the service agent account is project name@service name.kc.serviceaccount.com. Service agents cannot be created or deleted directly by users. However, when deleting a project, all service agents for that project are deleted together.

The list of service agents created in the project can be viewed in the KakaoCloud Console > IAM > Project Service Account tab.

IAM role

IAM roles in KakaoCloud are collections of permissions. Assigning a specific role to a user automatically grants the permissions associated with that role to the user.

Basic role

Basic-roles are roles provided by default in KakaoCloud. Basic role types are divided into Organization roles and Project roles, and multiple roles can be added to a user. For detailed information on role management, refer to Manage role document.

Organization role

Organization roles are as follows.

RoleDescription
Org OwnerThe highest role automatically acquired by the user who applied for organization creation
- Automatically acquires Org Admin and Billing Admin roles upon organization creation
- The Org Owner role cannot be deleted and must be transferred to another user if needed
Org AdminManages the organization and projects (excluding resources)
- Can register and delete users in the organization
- Can create and delete groups, create projects
- Can change the response status and question type of general inquiries in the Helpdesk
- Includes all permissions of the organization leader role
Org ReaderCan view users and IAM roles within the organization and projects (cannot manage project resources)
Billing AdminManages Payment methods, credits, etc., in the Billing
- Includes all permissions of the billing manager role
Billing ManagerViews estimated cost and bills for all projects in the Billing
- Includes all permissions of the billing viewer role
Billing ViewerView resource usage and estimated cost for all projects in the Billing
Trail ViewerA role limited to the Cloud Trail
- Can view organization events (project creation/deletion, console login/logout, billing inquiry) and project events
- For detailed information on events that can be viewed, refer to Cloud Trail
Alert Center AdminA role limited to the Alert Center
- Can view the registration and dispatch history of alerts for organizational units in the Alert Center.
- For detailed information on events that can set alarms, refer to Alert Center's Notification Policy

Permissions by organization role

PermissionOrg OwnerOrg AdminOrg ReaderBilling AdminBilling ManagerBilling ViewerTrail ViewerAlert Center Admin
Create/delete organization✓                                        
Modify organization info
Register/delete users
Add/delete IAM roles
View organization/project info
& IAM roles
Manage groups
Answer general inquiries in Helpdesk
Modify account
& IdP Integration
Configure security settings
Add/delete billing roles
Manage Payment methods
Manage credits
View invoices
View estimated cost for all projects
View estimated cost for specific projects
View organization and project
Events
Register and view the sent history of
Organization event alarms

Project role

Project roles consist of Project Admin, Project Member, Project Reader, and Kubeflow Admin. These roles manage project members or grant access to project resources. To access specific project resources, one must have the corresponding project role.
To add or remove a project role for a user, Org Admin or Project Admin permissions are required.

Types of project role

    Role    Description
Project AdminA role with access to and management permissions for resources within the assigned project.
- Can perform CRUD (Create, Read, Update, Delete) operations on project resources
- Holds project management permissions
- Can add, remove, or modify user roles within the project
- Can manage service accounts and agents
- Includes all permissions of a project member
Project MemberA role with access and management permissions for resources within the affiliated project
- Can perform CRUD (create, read, update, delete) on project resources
Project ReaderA role with only the permission to view resources within the affiliated project
- Can read (view) project resources
Kubeflow AdminA role limited to the Kubeflow
- Can perform CRUD (create, read, update, delete) on Kubeflow resources

Permissions by project role

PermissionOrganization AdminProject AdminProject MemberProject Reader
Create/delete project✓                     
Modify project information
Manage project roles
Manage project service accounts
CRUD on all resources within project
CRUD on owned resources within project
View owned resources within project
Permissions for Project Member by service

Permissions for Project Member may vary by service. For more details, please refer to the documentation for each service.

Group permissions

Group permissions refer to the organization or project roles assigned to a user group, granting permissions acquired by group members. Group members automatically gain the permissions set for the group. Group permissions allow for easy management by linking multiple users and roles at once.
For more detailed information on managing groups, refer to Manage user and group.