Key Concepts
KakaoCloud IAM uses Role Based Access Control (RBAC) to manage permissions for users, organizations, and projects through predefined roles.
Resource
Resource refers to computing assets like instances, storage, networks that can be created in a project, or services provided by KakaoCloud.
| Item | Description |
|---|---|
| Organization | The highest concept in the KakaoCloud hierarchy, where projects, users, etc., can be grouped into an abstracted space |
| Project | A higher unit owning service-level resources - Must belong to a specific organization - Resource quotas are set at the project level - Users must acquire project roles to access resources |
| Service | Individual products provided by KakaoCloud - All resources within a service are created and managed under a project - e.g. VM, VPC, Object Storage, etc. |
IAM roles
KakaoCloud IAM is categorized into Organization-level and Project level scopes.
| Category | Description |
|---|---|
| Organization | IAM service for managing the organization - Manage users, roles, groups, and projects - Navigate to the organization IAM service: ㄴ KakaoCloud Console > IAM > Organization |
| Project | IAM service managed per project - View or manage project members and their roles - Navigate to the project IAM service: ㄴ KakaoCloud Console > Dashboard > Go to Project Management |
User
A user is an account that can log in to the KakaoCloud Console. A user can be assigned roles in specific projects and can also belong to one or more groups.
| Field | Description |
|---|---|
| User | A KakaoCloud account that can log in to the console - Can access both KakaoCloud Console and APIs - Must be unique within the organization |
| Project role | A user who holds a project role (Project Admin, Project Member, Project Reader) in a specific project - Users must be assigned a project role to access project resources |
| Group member | A user who belongs to a group - Inherits IAM roles based on group permissions - Group roles are immediately revoked if the user is removed from the group or the group is deleted - See Group below for more information |
Group
A group is a collection of users who share the same roles. By adding or removing permissions at the group level, you can efficiently manage IAM roles for multiple users at once.
When a role is assigned to a group, all group members inherit the role. When a role is removed from a group, it is immediately revoked from all members.
Note that individually assigned roles remain unaffected.
For more details on managing groups, refer to the Create and manage group guide.
Group structure
- You can add multiple users to a group, and users can belong to multiple groups.
- Only user accounts can be added to a group. Service accounts are not supported.
- Groups cannot contain other groups.
- If a group is deleted or a user is removed, the group-granted roles are immediately revoked.
- API tokens issued to removed group members are immediately expired. (This does not apply if the user has other independently assigned roles.)
Service account
Service account is a user-created account that is not an actual IAM user account but can be used to issue authentication tokens required for calling KakaoCloud APIs.
Project members can use service account API tokens to call APIs and access or control resources in KakaoCloud services.
The service account ID follows the format {user-defined}-project-name@kc.serviceaccount.com. Service accounts belong to the project IAM scope and are automatically granted the Project Member role.
However, since service accounts are not KakaoCloud user accounts, they cannot log in to the console and do not appear in the organization user list.
For more details on creating and managing service accounts, refer to Manage service account.
| Item | Description |
|---|---|
| Service account | An account for issuing authentication tokens to call KakaoCloud APIs - User-created and not an actual IAM user account - ID format: {user-defined}-project-name@kc.serviceaccount.com |
Service account credentials
You can create IAM access keys and S3 access keys from a service account.
Using the access key ID and secret access key of a created key, you can issue an API authentication token.
For more details on managing service account credentials, refer to Manage service account.
Service account quota
You can create up to 100 service accounts per project, including those in a deactivated state.
Each service account can have up to 2 IAM access keys and 2 S3 access keys per key type.
Note that service accounts are not counted toward the quota.
Service agent account
A service agent account is automatically created when using certain KakaoCloud services.
It is used by KakaoCloud services in the background to access resources or process user requests.
For example, when you add a node pool in the KakaoCloud Kubernetes Engine service, a Kubernetes Engine service agent account creates instances in the Virtual Machine service.
The ID format for a service agent account is project-name@service-name.kc.serviceaccount.com.
Service agent accounts cannot be created or deleted manually. However, deleting the project will also delete all associated service agent accounts.
You can view the list of service agents created in a project via the KakaoCloud Console:
Dashboard > Go to Project Management > Service Agent
IAM role
An IAM role in KakaoCloud is a collection of permissions.
When a user is granted a role, all the permissions associated with that role are automatically granted to the user.
Basic roles
Basic roles are predefined roles provided by KakaoCloud.
They are divided into organization roles and project roles, and users can have multiple roles assigned.
For more details, see Manage roles.
Organization roles
Organization roles consist of Org Admin, Org Reader, Billing Admin, Billing Manager, Billing Viewer, Trail Viewer, Alert Center Organization Manager, and Alert Center Organization Viewer.
- The Org Owner is the user who applied for the creation of the organization. By default, the Org Admin and Billing Admin roles are assigned to this user.
- You can transfer ownership to another user, who will then be assigned the same roles.
- Only Org Owner can request the creation or deletion of an organization.
Organization roles
| Role | Description |
|---|---|
| Org Admin | Manages the organization and projects (excluding resources) - Can register and delete users in the organization - Can create and delete groups, and create projects - Can manage responses and change question types in Helpdesk general inquiries - Includes all permissions of the Org Reader role |
| Org Reader | Can view users and IAM roles in the organization and projects (cannot manage project resources) |
| Billing Admin | Manages payment methods and credits in the Billing service - Includes all permissions of the Billing Manager role |
| Billing Manager | Can view project cost estimates and billing information in the Billing service - Includes all permissions of the Billing Viewer role |
| Billing Viewer | Can view resource usage and cost estimates for projects in the Billing service |
| Trail Viewer | Can view organization events (e.g., project creation/deletion, console login/logout, billing views) - For more details, see Manage IAM roles in Cloud Trail - For event types, see Organization events viewable in Cloud Trail |
| Alert Center Organization Manager | Manages organization-level alert policies and channels, and views alert history in Alert Center - See Manage IAM roles in Alert Center - For alertable events, refer to Alert policies in Alert Center |
| Alert Center Organization Viewer | Views organization-level alert policies, channels, and history in Alert Center - See Manage IAM roles in Alert Center for more information |
Organization management permissions by role
| Permission | Org Admin | Org Reader | Billing Admin | Billing Manager | Billing Viewer |
|---|---|---|---|---|---|
| Edit organization information | ✓ | ||||
| Register/delete users | ✓ | ||||
| Add/remove IAM roles | ✓ | ||||
| View organization/project info & IAM roles | ✓ | ✓ | |||
| Manage groups | ✓ | ||||
| Manage Helpdesk general inquiries | ✓ | ||||
| Configure login settings & IdP integration | ✓ | ||||
| Configure security settings | ✓ | ||||
| Add/remove billing roles | ✓ | ||||
| Manage payment methods | ✓ | ||||
| Manage credits | ✓ | ||||
| View billing statements | ✓ | ✓ | |||
| View all project cost estimates | ✓ | ✓ | |||
| View specific project cost estimates | ✓ | ✓ | ✓ |
Project role
Project roles include Project Admin, Project Member, Project Reader, and service-specific roles. These roles define permissions to manage project members or access project resources.
To access a specific project resource, the user must be granted a project role.
Assigning or removing project roles requires Org Admin or Project Admin privileges.
Types of project roles
| Role | Description |
|---|---|
| Project Admin | Has full access and control over all project resources - Can create, read, update, and delete project resources - Can manage project settings - Can assign, modify, and revoke project roles for users - Can manage service accounts and agents - Includes all permissions of the Project Member role |
| Project Member | Has permission to access and manage project resources - Can create, read, update, and delete project resources |
| Project Reader | Has read-only access to project resources - Can only view project resources |
| ObjectStorage Manager | Can create and list buckets in Object Storage - Bucket management depends on role permissions per bucket - See IAM roles for Object Storage |
| ObjectStorage Viewer | Can list objects in Object Storage - Bucket management depends on role permissions per bucket - See IAM roles for Object Storage |
| Kubeflow Admin | Can create, view, update, and delete Kubeflow service resources |
| Alert Center Project Manager | Manages project-level alert policies, channels, and notifications in Alert Center - See Manage IAM roles in Alert Center - See Alert policies |
| Alert Center Project Viewer | Views project-level alert policies, channels, and notification history in Alert Center - See Manage IAM roles in Alert Center |
Permissions by project role
| Permission | Org Admin | Project Admin | Project Member | Project Reader |
|---|---|---|---|---|
| Create/delete projects | ✓ | |||
| Edit project info | ✓ | |||
| Manage project roles | ✓ | ✓ | ||
| Manage service accounts | ✓ | |||
| Full CRUD on all project resources | ✓ | ✓ | ||
| CRUD on owned resources | ✓ | ✓ | ||
| View owned resources | ✓ | ✓ | ✓ |
Permissions for Project Members may vary depending on the service. Refer to the user guide for each service for detailed information.
Group permissions
Group permissions are permissions granted to user groups by assigning organization or project roles. All group members automatically inherit the roles assigned to their group.
Group permissions allow administrators to manage multiple users and roles more efficiently.
For more information, refer to Create and manage group.