Manage user roles through Container Cloud API

You can manage IAM user role bindings through Container Cloud API. For the API reference of the IAM custom resources, see IAM resources. You can also manage user roles using the Container Cloud web UI.


User management for the Mirantis OpenStack for Kubernetes m:os roles is not yet available through API or web UI. Therefore, continue managing these roles using Keycloak.

You can use the following objects depending on the way you want the role to be assigned to the user:

  • IAMGlobalRoleBinding for global role bindings

    Any IAM role can be used in IAMGlobalRoleBinding and will be applied globally, not limited to a specific project or cluster. For example, the global-admin role.

  • IAMRoleBinding for project role bindings

    Any role except the global-admin one apply. For example, using the operator and user IAM roles in IAMRoleBinding of the example project corresponds to assigning of m:kaas:example@operator/user in Keycloak. You can also use these IAM roles in IAMGlobalRoleBinding. In this case, the roles corresponding to every project will be assigned to a user in Keycloak.

  • IAMClusterRoleBinding for cluster role bindings

    Only the cluster-admin and stacklight-admin roles apply to IAMClusterRoleBinding. Creation of such objects corresponds to the assignment of m:k8s:namespace:cluster@cluster-admin/stacklight-admin in Keycloak. You can also bind these roles to either IAMGlobalRoleBinding or IAMRoleBinding. In this case, the roles corresponding to all clusters and in all projects or one particular project will be assigned to a user.

This section describes available IAM roles with use cases and the Container Cloud API IAM*RoleBinding mapping with Keycloak.