Key Concepts
KakaoCloud IAM uses Role Based Access Control (RBAC) to manage permissions for users, organizations, and projects through predefined roles.
Resource
Resource refers to computing assets like instances, storage, networks that can be created in a project, or services provided by KakaoCloud.
| Item | Description |
|---|---|
| Organization | The highest concept in the KakaoCloud hierarchy, where projects, users, etc., can be grouped into an abstracted space |
| Project | A higher unit owning service-level resources - Must belong to a specific organization - Resource quotas are set at the project level - Users must acquire project roles to access resources |
| Service | Individual products provided by KakaoCloud - All resources within a service are created and managed under a project - e.g. VM, VPC, Object Storage, etc. |
IAM level
IAM levels in KakaoCloud are divided into organization and project units.
| Category | Description |
|---|---|
| Organization-level IAM | IAM managing the organization - Manages users, roles, groups, projects - How to navigate to Organization-level IAM: -> KakaoCloud Console > IAM > Organization |
| Project-level IAM | IAM managed per project - Manages project members and project roles - How to navigate to Project-level IAM: -> KakaoCloud Console > IAM > Project |
User
Users are account units that can log in to the KakaoCloud Console. A user can be a member of a specific project while also being a member of a group.
| Item | Description |
|---|---|
| User | A unit of KakaoCloud account that can log into the console - Accessible via both KakaoCloud Console and API - Must be unique within the affiliated organization |
| Project Member | A user with project roles (Project Admin, project member, Project Reader) within a specific project - Must acquire project roles to access project resources |
| Group Member | A user belonging to a specific group - Group members gain roles according to group permissions - Immediate revocation of group permissions upon deletion from the group or group deletion - For more details, see Group below |
Group
Groups are sets of users sharing certain roles. Group permissions can be easily managed by adding or removing IAM roles to group members in bulk. Adding group permissions grants the specified IAM role to group members, and deleting permissions immediately revokes the role. However, roles added directly to users remain unaffected.
For more detailed information on managing groups, see Manage user and group document.
- Multiple users can be added to a group, and a user can belong to multiple groups.
- Only users can be added to groups; service accounts cannot be added.
- A group cannot include other groups.
- If a group is deleted or a member is expelled, group permissions are immediately revoked.
- Deleting a group or expelling a member immediately expires the group member's API authentication token. However, this does not apply if there are no separate group permissions assigned.
Service account
Service accounts are accounts created by users, not actual IAM user accounts, and can issue authentication tokens needed for calling KakaoCloud APIs.
Project members use service account API authentication tokens to call APIs to access or control resources of KakaoCloud services.
The ID format for a service account is {user input}-project name@kc.serviceaccount.com. Service accounts belong to project-level IAM and automatically receive the project member role. Service accounts, unlike KakaoCloud user accounts, cannot log in to the console and are not listed in the organization's user list.
For detailed information on creating and managing service accounts, refer to Manage service account.
| Item | Description |
|---|---|
| Service account | An account that can issue authentication tokens required for KakaoCloud API calls - Created by users, not actual IAM user accounts - ID format: {user input}-project name@kc.serviceaccount.com |
API authentication token
You can issue an API authentication token using the access key and security key created for the service account. For detailed information on managing access keys and security keys, see Manage service account.
Service account quota
Each project can create up to 100 service accounts, including inactive ones. Additionally, a maximum of 10 access keys can be added per service account. However, service accounts are exempt from this quota.
Service agent account
A service agent is automatically created when you use a specific KakaoCloud service. It is used to directly access resources in the background of the KakaoCloud service or to fulfill user requests. For example, when you add a node pool in the KakaoCloud Kubernetes Engine service, the Kubernetes Engine service agent account creates an instance of Virtual Machine.
The ID format for the service agent account is project name@service name.kc.serviceaccount.com. Service agents cannot be created or deleted directly by users. However, when deleting a project, all service agents for that project are deleted together.
The list of service agents created in the project can be viewed in the KakaoCloud Console > IAM > Project Service Account tab.
IAM role
IAM roles in KakaoCloud are collections of permissions. Assigning a specific role to a user automatically grants the permissions associated with that role to the user.
Basic role
Basic-roles are roles provided by default in KakaoCloud. Basic role types are divided into Organization roles and Project roles, and multiple roles can be added to a user. For detailed information on role management, refer to Manage role document.
Organization role
Organization roles are as follows.
| Role | Description |
|---|---|
| Org Owner | The highest role automatically acquired by the user who applied for organization creation - Automatically acquires Org Admin and Billing Admin roles upon organization creation - The Org Owner role cannot be deleted and must be transferred to another user if needed |
| Org Admin | Manages the organization and projects (excluding resources) - Can register and delete users in the organization - Can create and delete groups, create projects - Can change the response status and question type of general inquiries in the Helpdesk - Includes all permissions of the organization leader role |
| Org Reader | Can view users and IAM roles within the organization and projects (cannot manage project resources) |
| Billing Admin | Manages Payment methods, credits, etc., in the Billing - Includes all permissions of the billing manager role |
| Billing Manager | Views estimated cost and bills for all projects in the Billing - Includes all permissions of the billing viewer role |
| Billing Viewer | View resource usage and estimated cost for all projects in the Billing |
| Trail Viewer | A role limited to the Cloud Trail - Can view organization events (project creation/deletion, console login/logout, billing inquiry) and project events - For detailed information on events that can be viewed, refer to Cloud Trail |
| Alert Center Admin | A role limited to the Alert Center - Can view the registration and dispatch history of alerts for organizational units in the Alert Center. - For detailed information on events that can set alarms, refer to Alert Center's Notification Policy |
Permissions by organization role
| Permission | Org Owner | Org Admin | Org Reader | Billing Admin | Billing Manager | Billing Viewer | Trail Viewer | Alert Center Admin |
|---|---|---|---|---|---|---|---|---|
| Create/delete organization | ✓ | |||||||
| Modify organization info | ✓ | |||||||
| Register/delete users | ✓ | |||||||
| Add/delete IAM roles | ✓ | |||||||
| View organization/project info & IAM roles | ✓ | ✓ | ||||||
| Manage groups | ✓ | |||||||
| Answer general inquiries in Helpdesk | ✓ | |||||||
| Modify account & IdP Integration | ✓ | |||||||
| Configure security settings | ✓ | ✓ | ||||||
| Add/delete billing roles | ✓ | |||||||
| Manage Payment methods | ✓ | |||||||
| Manage credits | ✓ | |||||||
| View invoices | ✓ | ✓ | ||||||
| View estimated cost for all projects | ✓ | ✓ | ||||||
| View estimated cost for specific projects | ✓ | ✓ | ✓ | |||||
| View organization and project Events | ✓ | |||||||
| Register and view the sent history of Organization event alarms | ✓ |
Project role
Project roles consist of Project Admin, Project Member, Project Reader, and Kubeflow Admin. These roles manage project members or grant access to project resources.
To access specific project resources, one must have the corresponding project role.
To add or remove a project role for a user, Org Admin or Project Admin permissions are required.
Types of project role
| Role | Description |
|---|---|
| Project Admin | A role with access and management permissions for resources within the affiliated project - Can perform CRUD (create, read, update, delete) on project resources - Can add, delete, or change project roles for users - Includes all permissions of the project member |
| Project Member | A role with access and management permissions for resources within the affiliated project - Can perform CRUD (create, read, update, delete) on project resources |
| Project Reader | A role with only the permission to view resources within the affiliated project - Can read (view) project resources |
| Kubeflow Admin | A role limited to the Kubeflow - Can perform CRUD (create, read, update, delete) on Kubeflow resources |
Permissions by project role
| Permission | Org Owner | Org Admin | Project Admin | Project Member | Project Reader |
|---|---|---|---|---|---|
| Create/delete project | ✓ | ||||
| Modify project information | ✓ | ||||
| Manage project roles | ✓ | ✓ | |||
| CRUD on all resources within project | ✓ | ✓ | |||
| CRUD on owned resources within project | ✓ | ✓ | |||
| View owned resources within project | ✓ | ✓ | ✓ |
Permissions for Project Member may vary by service. For more details, please refer to the documentation for each service.
Group permissions
Group permissions refer to the organization or project roles assigned to a user group, granting permissions acquired by group members. Group members automatically gain the permissions set for the group. Group permissions allow for easy management by linking multiple users and roles at once.
For more detailed information on managing groups, refer to Manage user and group.