Key concepts
KakaoCloud IAM uses a role-based access control (RBAC) model to manage permissions for users, organizations, and projects based on predefined roles.
Resource
A resource is an abstract unit of computing assets such as instances, storage, and networks that can be created in a project, or services provided by KakaoCloud.
KakaoCloud resource hierarchy
| Item | Description |
|---|---|
| Organization | The top-level concept in the KakaoCloud hierarchy. It is an abstract space where projects, users, and other entities are grouped into one organization. |
| Project | The upper-level unit that owns service-level resources - Must belong to a specific organization - Resource quotas are set at the project level - Users must be granted a project role to access project resources |
| Service | Individual products provided by KakaoCloud - All resources within a service are created and managed under a project - Examples: VM, VPC, Object Storage |
IAM and Project Management role permissions
KakaoCloud IAM is divided into the IAM service, which manages IAM across the entire organization, and Project Management, which manages IAM at the project level.
IAM service
The IAM service provides functionality to manage organizational resources (users, roles, groups, projects) in an integrated manner.
You can access the IAM service from KakaoCloud Console > Management > IAM.
| Feature | Organization Admin | Organization Reader | IAM Organization Admin | IAM Organization Viewer |
|---|---|---|---|---|
| Create, delete, modify projects | ✓ | ✓ | ||
| View project details | ✓ | ✓ | ✓ | ✓ |
| Invite, delete users, edit roles | ✓ | ✓ | ||
| View user details | ✓ | ✓ | ✓ | ✓ |
| View IAM role information | ✓ | ✓ | ✓ | ✓ |
| Create, delete groups, edit roles | ✓ | ✓ | ||
| View group details | ✓ | ✓ | ✓ | ✓ |
| View credential data | ✓ | ✓ | ✓ | ✓ |
| Manage organization settings (login, security) | ✓ | ✓ | ||
| View organization settings (login, security) | ✓ | ✓ | ✓ | ✓ |
Project Management
Project Management is a sub-function of IAM for managing project-level resources. It allows you to view and manage project members and project roles.
You can access Project Management from the Go to Project Management button located at the top right of the KakaoCloud Console dashboard.
| Feature | Project Admin | Project Member | Project Reader | IAM Project Admin | IAM Project Viewer |
|---|---|---|---|---|---|
| Assign, remove, edit user roles | ✓ | ✓ | |||
| View list of users and roles | ✓ | ✓ | ✓ | ||
| Assign, remove, edit group roles | ✓ | ✓ | |||
| View group role details | ✓ | ✓ | ✓ | ||
| Create, delete service accounts, manage credentials | ✓ | ✓ | |||
| View service accounts, view credentials | ✓ | ✓ | ✓ | ||
| View service agents | ✓ | ✓ | ✓ |
User
A user is an account that can log in to the KakaoCloud Console. A user can have roles in specific projects and also be a member of groups.
| Item | Description |
|---|---|
| User | A KakaoCloud account that can log in to the console - Can use both KakaoCloud Console and API - Must be unique within its organization |
| Project role | A user who has a project role (Admin, Member, Reader) in a specific project - Must be granted a project role to access project resources |
| Group member | A user belonging to a specific group - Inherits roles according to group permissions - If a group is deleted or the user is removed, group permissions are revoked immediately - For more details, see Group below |
Group
A group is a set of users who share specific roles. By adding or removing roles at the group level, IAM roles can be managed efficiently. If a role is assigned to a group, all members inherit it. If the role is removed, it is revoked immediately. Directly assigned roles remain unchanged.
For more details, see Create and manage group.
Group structure
- Multiple users can be added to a group, and users can belong to multiple groups.
- Only users can be added to groups; service accounts cannot be added.
- Groups cannot contain other groups.
- If a group is deleted or a member is removed, inherited group permissions are revoked immediately.
- If a group is deleted or a member is removed, the API authentication tokens of the group members expire immediately (unless they have other directly assigned permissions).
Service account
A service account is not an actual IAM user but an account created by a user to issue authentication tokens required for calling KakaoCloud APIs.
Project members can use service account API tokens to access or manage KakaoCloud resources.
The service account ID format is {custom-input}-project-name@kc.serviceaccount.com. A service account can be assigned a project role at creation. However, service accounts cannot log in to the console and are not listed in the organization user list.
For details, see Manage service account.
| Item | Description |
|---|---|
| Service account | An account for issuing authentication tokens required to call KakaoCloud APIs - Created by users and not a real IAM user - ID format: {custom-input}-project-name@kc.serviceaccount.com |
Service account credentials
You can generate IAM access keys and S3 access keys for service accounts. These keys can then be used to issue API authentication tokens.
For more information, see Manage service account.
Service account quota
Up to 100 service accounts can be created per project, including inactive accounts. Each service account can have up to 2 IAM access keys and 2 S3 access keys. Service accounts themselves are not counted toward the quota.
Service agent account
A service agent account is automatically created when you use certain KakaoCloud services. It is used by KakaoCloud to directly access resources in the background or to perform user requests.
For example, when you add a node pool in Kubernetes Engine, a Kubernetes Engine service agent account creates instances in the Virtual Machine service.
The service agent account ID format is project-name@service-name.kc.serviceaccount.com. Service agents cannot be created or deleted manually. They are automatically deleted when the project is deleted.
You can view service agents from KakaoCloud Console > Dashboard > Go to Project Management > Service Agent.
IAM role
An IAM role is a collection of permissions. When a role is assigned to a user, the user automatically inherits the permissions of that role.
Basic roles
Basic roles are default roles provided by KakaoCloud. They are divided into organization roles and project roles.
For more details, see Manage role.
Organization roles
Organization roles are roles required for managing services at the organization level.
- The organization owner is the user who applies to create the organization. The owner is automatically assigned the Organization Admin and Billing Admin roles.
- Ownership can be transferred to another user, who will then also be assigned the Organization Admin and Billing Admin roles.
- Only the organization owner can request organization creation or deletion.
Organization roles
| Role | Description |
|---|---|
| Organization Admin | Manages organizations and projects (excluding resources) - Can register and delete users in the organization - Can create and delete groups, create projects - Can change the status or type of questions in Helpdesk inquiries - Includes all permissions of Organization Reader |
| Organization Reader | Can view users and IAM roles of the organization and projects (cannot manage resources) |
| IAM Organization Admin | Manages IAM service resources - Can manage users and groups in the organization - Can manage projects, configure login and security settings |
| IAM Organization Viewer | Views IAM service resources - Can view users and groups in the organization - Can view projects and login/security settings |
| Billing Admin | In the Billing service, manages payment methods and credits - Includes all permissions of Billing Manager |
| Billing Manager | In the Billing service, can view estimated costs and invoices for projects - Includes all permissions of Billing Viewer |
| Billing Viewer | In the Billing service, can view resource usage and estimated costs for projects |
| Trail Viewer | Can view organization events (project creation/deletion, console login/logout, billing inquiries) - For details, see Manage IAM roles in Cloud Trail - For event details, see Organization events available in Cloud Trail |
| Alert Center Organization Manager | In Alert Center, manages organization-level alert policies, notification channels, and delivery history - For details, see Manage IAM roles in Alert Center - For available events, see Alert policies in Alert Center |
| Alert Center Organization Viewer | In Alert Center, views organization-level alert policies, notification channels, and delivery history - For details, see Manage IAM roles in Alert Center |
Project roles
Project roles are roles required for managing services at the project level.
Project role types
| Role | Description |
|---|---|
| Project Admin | Has full access to resources within the project - Can perform CRUD (create, read, update, delete) on project resources - Can add, remove, modify user roles in the project - Can manage service accounts and service agents - Includes all permissions of Project Member |
| Project Member | Has access to manage project resources - Can perform CRUD on project resources |
| Project Reader | Has read-only access to project resources |
| IAM Project Admin | Manages Project Management service resources - Can manage users and groups in the project - Can manage service accounts and credentials |
| IAM Project Viewer | Views Project Management service resources - Can view users, groups, service accounts, and credentials |
| Object Storage Manager | - Can create and view buckets in Object Storage. Bucket management depends on bucket-level role settings - For details, see IAM roles in Object Storage |
| Object Storage Viewer | - Can view Object Storage buckets. Bucket management depends on bucket-level role settings |
| File Storage Manager | - Full CRUD permissions on all File Storage resources - For details, see IAM roles in File Storage |
| File Storage Viewer | - Read-only access to all File Storage resources |
| Kubeflow Admin | CRUD permissions on Kubeflow resources |
| Alert Center Project Manager | - In Alert Center, manages project-level alert policies, notification channels, and delivery history - For details, see Manage IAM roles in Alert Center - For available events, see Alert policies in Alert Center |
| Alert Center Project Viewer | - In Alert Center, views project-level alert policies, notification channels, and delivery history |
| DNS Manager | - CRUD permissions on project-level DNS resources - For details, see Manage IAM roles in DNS |
| DNS Viewer | - Read-only access to project-level DNS resources |
| Pub/Sub Manager | - CRUD permissions on topics and subscriptions in Pub/Sub - Includes Publisher, Subscriber, and Viewer permissions - For details, see Pub/Sub role permissions |
| Pub/Sub Publisher | - Publishes messages to Pub/Sub topics |
| Pub/Sub Subscriber | - Receives and processes messages from Pub/Sub subscriptions |
| Pub/Sub Viewer | - Views lists of Pub/Sub topics and subscriptions |
| KMS Manager | - CRUD permissions on project-level KMS resources - For details, see Manage IAM roles in KMS |
| KMS Viewer | - Read-only access to project-level KMS resources |
| Secrets Manager Manager | - CRUD permissions on project-level Secrets Manager resources - For details, see Manage IAM roles in Secrets Manager |
| Secrets Manager Viewer | - Read-only access to project-level Secrets Manager resources |
Group permissions
Group permissions are the permissions a group acquires when organization or project roles are assigned to it. Group members automatically inherit these permissions. Group permissions make it easy to assign roles to multiple users at once.
For more details, see Create and manage group.