Skip to main content

Key concepts

KakaoCloud IAM uses a role-based access control (RBAC) model to manage permissions for users, organizations, and projects based on predefined roles.

Resource

A resource is an abstract unit of computing assets such as instances, storage, and networks that can be created in a project, or services provided by KakaoCloud.

Figure. KakaoCloud resource hierarchy
KakaoCloud resource hierarchy

ItemDescription
OrganizationThe top-level concept in the KakaoCloud hierarchy. It is an abstract space where projects, users, and other entities are grouped into one organization.
ProjectThe upper-level unit that owns service-level resources
- Must belong to a specific organization
- Resource quotas are set at the project level
- Users must be granted a project role to access project resources
ServiceIndividual products provided by KakaoCloud
- All resources within a service are created and managed under a project
- Examples: VM, VPC, Object Storage

IAM and Project Management role permissions

KakaoCloud IAM is divided into the IAM service, which manages IAM across the entire organization, and Project Management, which manages IAM at the project level.

IAM service

The IAM service provides functionality to manage organizational resources (users, roles, groups, projects) in an integrated manner.
You can access the IAM service from KakaoCloud Console > Management > IAM.

FeatureOrganization AdminOrganization ReaderIAM Organization AdminIAM Organization Viewer
Create, delete, modify projects
View project details
Invite, delete users, edit roles
View user details
View IAM role information
Create, delete groups, edit roles
View group details
View credential data
Manage organization settings (login, security)
View organization settings (login, security)

Project Management

Project Management is a sub-function of IAM for managing project-level resources. It allows you to view and manage project members and project roles.
You can access Project Management from the Go to Project Management button located at the top right of the KakaoCloud Console dashboard.

FeatureProject AdminProject MemberProject ReaderIAM Project AdminIAM Project Viewer
Assign, remove, edit user roles
View list of users and roles
Assign, remove, edit group roles
View group role details
Create, delete service accounts, manage credentials
View service accounts, view credentials
View service agents

User

A user is an account that can log in to the KakaoCloud Console. A user can have roles in specific projects and also be a member of groups.

ItemDescription
UserA KakaoCloud account that can log in to the console
- Can use both KakaoCloud Console and API
- Must be unique within its organization
Project roleA user who has a project role (Admin, Member, Reader) in a specific project
- Must be granted a project role to access project resources
Group memberA user belonging to a specific group
- Inherits roles according to group permissions
- If a group is deleted or the user is removed, group permissions are revoked immediately
- For more details, see Group below

Group

A group is a set of users who share specific roles. By adding or removing roles at the group level, IAM roles can be managed efficiently. If a role is assigned to a group, all members inherit it. If the role is removed, it is revoked immediately. Directly assigned roles remain unchanged.

For more details, see Create and manage group.

Figure. Group structure
Group structure

Group policy
  • Multiple users can be added to a group, and users can belong to multiple groups.
  • Only users can be added to groups; service accounts cannot be added.
  • Groups cannot contain other groups.
  • If a group is deleted or a member is removed, inherited group permissions are revoked immediately.
  • If a group is deleted or a member is removed, the API authentication tokens of the group members expire immediately (unless they have other directly assigned permissions).

Service account

A service account is not an actual IAM user but an account created by a user to issue authentication tokens required for calling KakaoCloud APIs.
Project members can use service account API tokens to access or manage KakaoCloud resources.

The service account ID format is {custom-input}-project-name@kc.serviceaccount.com. A service account can be assigned a project role at creation. However, service accounts cannot log in to the console and are not listed in the organization user list.

For details, see Manage service account.

ItemDescription
Service accountAn account for issuing authentication tokens required to call KakaoCloud APIs
- Created by users and not a real IAM user
- ID format: {custom-input}-project-name@kc.serviceaccount.com

Service account credentials

You can generate IAM access keys and S3 access keys for service accounts. These keys can then be used to issue API authentication tokens.
For more information, see Manage service account.

Service account quota

Up to 100 service accounts can be created per project, including inactive accounts. Each service account can have up to 2 IAM access keys and 2 S3 access keys. Service accounts themselves are not counted toward the quota.

Service agent account

A service agent account is automatically created when you use certain KakaoCloud services. It is used by KakaoCloud to directly access resources in the background or to perform user requests.
For example, when you add a node pool in Kubernetes Engine, a Kubernetes Engine service agent account creates instances in the Virtual Machine service.

The service agent account ID format is project-name@service-name.kc.serviceaccount.com. Service agents cannot be created or deleted manually. They are automatically deleted when the project is deleted.

You can view service agents from KakaoCloud Console > Dashboard > Go to Project Management > Service Agent.

IAM role

An IAM role is a collection of permissions. When a role is assigned to a user, the user automatically inherits the permissions of that role.

Basic roles

Basic roles are default roles provided by KakaoCloud. They are divided into organization roles and project roles.
For more details, see Manage role.

Organization roles

Organization roles are roles required for managing services at the organization level.

Note
  • The organization owner is the user who applies to create the organization. The owner is automatically assigned the Organization Admin and Billing Admin roles.
  • Ownership can be transferred to another user, who will then also be assigned the Organization Admin and Billing Admin roles.
  • Only the organization owner can request organization creation or deletion.

Organization roles

RoleDescription
Organization AdminManages organizations and projects (excluding resources)
- Can register and delete users in the organization
- Can create and delete groups, create projects
- Can change the status or type of questions in Helpdesk inquiries
- Includes all permissions of Organization Reader
Organization ReaderCan view users and IAM roles of the organization and projects (cannot manage resources)
IAM Organization AdminManages IAM service resources
- Can manage users and groups in the organization
- Can manage projects, configure login and security settings
IAM Organization ViewerViews IAM service resources
- Can view users and groups in the organization
- Can view projects and login/security settings
Billing AdminIn the Billing service, manages payment methods and credits
- Includes all permissions of Billing Manager
Billing ManagerIn the Billing service, can view estimated costs and invoices for projects
- Includes all permissions of Billing Viewer
Billing ViewerIn the Billing service, can view resource usage and estimated costs for projects
Trail ViewerCan view organization events (project creation/deletion, console login/logout, billing inquiries)
- For details, see Manage IAM roles in Cloud Trail
- For event details, see Organization events available in Cloud Trail
Alert Center Organization ManagerIn Alert Center, manages organization-level alert policies, notification channels, and delivery history
- For details, see Manage IAM roles in Alert Center
- For available events, see Alert policies in Alert Center
Alert Center Organization ViewerIn Alert Center, views organization-level alert policies, notification channels, and delivery history
- For details, see Manage IAM roles in Alert Center

Project roles

Project roles are roles required for managing services at the project level.

Project role types

RoleDescription
Project AdminHas full access to resources within the project
- Can perform CRUD (create, read, update, delete) on project resources
- Can add, remove, modify user roles in the project
- Can manage service accounts and service agents
- Includes all permissions of Project Member
Project MemberHas access to manage project resources
- Can perform CRUD on project resources
Project ReaderHas read-only access to project resources
IAM Project AdminManages Project Management service resources
- Can manage users and groups in the project
- Can manage service accounts and credentials
IAM Project ViewerViews Project Management service resources
- Can view users, groups, service accounts, and credentials
Object Storage Manager- Can create and view buckets in Object Storage. Bucket management depends on bucket-level role settings
- For details, see IAM roles in Object Storage
Object Storage Viewer- Can view Object Storage buckets. Bucket management depends on bucket-level role settings
File Storage Manager- Full CRUD permissions on all File Storage resources
- For details, see IAM roles in File Storage
File Storage Viewer- Read-only access to all File Storage resources
Kubeflow AdminCRUD permissions on Kubeflow resources
Alert Center Project Manager- In Alert Center, manages project-level alert policies, notification channels, and delivery history
- For details, see Manage IAM roles in Alert Center
- For available events, see Alert policies in Alert Center
Alert Center Project Viewer- In Alert Center, views project-level alert policies, notification channels, and delivery history
DNS Manager- CRUD permissions on project-level DNS resources
- For details, see Manage IAM roles in DNS
DNS Viewer- Read-only access to project-level DNS resources
Pub/Sub Manager- CRUD permissions on topics and subscriptions in Pub/Sub
- Includes Publisher, Subscriber, and Viewer permissions
- For details, see Pub/Sub role permissions
Pub/Sub Publisher- Publishes messages to Pub/Sub topics
Pub/Sub Subscriber- Receives and processes messages from Pub/Sub subscriptions
Pub/Sub Viewer- Views lists of Pub/Sub topics and subscriptions
KMS Manager- CRUD permissions on project-level KMS resources
- For details, see Manage IAM roles in KMS
KMS Viewer- Read-only access to project-level KMS resources
Secrets Manager Manager- CRUD permissions on project-level Secrets Manager resources
- For details, see Manage IAM roles in Secrets Manager
Secrets Manager Viewer- Read-only access to project-level Secrets Manager resources

Group permissions

Group permissions are the permissions a group acquires when organization or project roles are assigned to it. Group members automatically inherit these permissions. Group permissions make it easy to assign roles to multiple users at once.

For more details, see Create and manage group.