Service roles
Service roles are used to control access to specific cloud service resources or to segment operational responsibilities by function.
They are typically used to manage resources within a single service or to grant limited permissions to perform specific operations—such as creating buckets in Object Storage or managing configurations in Kubeflow.
Service roles are a sub-level concept of Organization roles and Project roles.
They act as supplementary permission sets used to refine access control or delegate limited authority for service-specific operations.
Types of service roles
Kakao Cloud provides various service roles that allow fine-grained control over access to each service’s resources.
For detailed scope and permissions, refer to the documentation for each individual service.
Most service roles are applied at the project level, but some can be used at the organization level or across both.
For example:
- Billing provides roles at both the organization and project levels based on payment management functions.
- Alert Center allows policy and notification management at both organization and project levels.
- Cloud Trail is available only at the organization level.
| Role | Permissions | Included sub-roles |
|---|---|---|
| Billing Admin | Manage payment methods, credits, invoices, and resource usage in Billing service. | Billing Manager, Billing Viewer |
| Billing Manager | View invoices, usage reports, and estimated costs in Billing service. | Billing Viewer |
| Billing Viewer | View estimated costs and resource usage for assigned projects in Billing service. | – |
| Object Storage Manager | Create and list buckets in Object Storage. Bucket management permissions follow Object Storage IAM roles. | Object Storage Viewer |
| Object Storage Viewer | View bucket lists in Object Storage. Bucket-level access depends on bucket configuration. | – |
| File Storage Manager | Create, read, update, and delete all File Storage resources. See File Storage IAM roles for detailed permissions. | File Storage Viewer |
| File Storage Viewer | View all File Storage resources. | – |
| Kubeflow Admin | Create, read, update, and delete Kubeflow resources. | – |
| Cloud Trail Trail Viewer | View organization-level events (e.g., project creation/deletion, logins, billing queries). See Cloud Trail IAM role management for details. | – |
| Alert Center Organization Manager | Manage organization-level Alert Center resources (e.g., policies, channels). See Alert Center IAM role management and Alert policies. | Alert Center Organization Viewer |
| Alert Center Organization Viewer | View organization-level Alert Center resources. | – |
| Alert Center Project Manager | Manage project-level alert policies, channels, and delivery logs. See Alert Center IAM role management and Alert policies. | Alert Center Project Viewer |
| Alert Center Project Viewer | View project-level alert policies, channels, and delivery logs. | – |
| DNS Manager | Create, read, update, and delete DNS resources. See DNS IAM role management for details. | DNS Viewer |
| DNS Viewer | View DNS resources. | – |
| Pub/Sub Manager | Create, view, update, and delete topics and subscriptions. See Pub/Sub role permissions. | Pub/Sub Publisher, Pub/Sub Subscriber, Pub/Sub Viewer |
| Pub/Sub Publisher | Publish messages to topics. | – |
| Pub/Sub Subscriber | Receive and process messages. | – |
| Pub/Sub Viewer | View topic and subscription lists. | – |
| KMS Manager | Create, read, update, and delete KMS resources. See KMS IAM role management for details. | KMS Viewer |
| KMS Viewer | View KMS resources. | – |
| Secrets Manager Manager | Create, read, update, and delete Secrets resources. See Secrets Manager IAM role management for details. | Secrets Manager Viewer |
| Secrets Manager Viewer | View Secrets resources. | – |
| IAM Organization Admin | Manage organization-level IAM resources. – Manage users, groups, projects, and security settings across the organization. – Manage IAM entities such as users, groups, roles, and service accounts. | IAM Organization Viewer |
| IAM Organization Viewer | View organization-level IAM resources. – Accessible from Management > IAM menu. | – |
| IAM Project Admin | Manage project-level IAM resources. – Manage users, groups, service accounts, and roles within a project. | IAM Project Viewer |
| IAM Project Viewer | View project-level IAM resources. – Accessible from Project Management menu. | – |
Role combinations
Following the principle of least privilege, assign only the minimum roles necessary to perform required operations.
Higher-level roles already include subordinate permissions, so redundant role assignment is unnecessary.
Multiple roles should only be combined when their scope or responsibility is clearly distinct.
When service roles are combined with organization or project roles, the organization/project role takes precedence.
The table below outlines common combinations involving service roles.
| Role combination | Description |
|---|---|
| Service role (standalone) | Grants exclusive access and control over the target service resources. → Allows service-level operations without organization or project roles. |
| Project Admin + Service Viewer ❌ | ⚠️ Duplicate assignment: Project Admin already has full management and view permissions for most services. → Additional service viewer roles are unnecessary; assign Project Admin only. |
| Project Reader + Service Manager | Project Reader cannot modify resources globally but can manage and operate specific services. → Suitable for delegating service-level operational authority. Example: Project Reader + Object Storage Manager. |
| Project Reader + Service Viewer ❌ | ⚠️ Duplicate assignment: Project Reader already has view permissions for most services. → Additional viewer roles are unnecessary; assign Project Reader only. |