Manage user roles through Keycloak


Starting from Container Cloud 2.14.0:

  • User roles management is available through the Container Cloud API and web UI.

  • User management for the m:os roles is not yet available through API or web UI. Therefore, continue managing these roles using Keycloak.

  • Role names have been updated. For details, see Mapping of Keycloak roles to IAM*RoleBinding objects.

Mirantis Container Cloud creates the IAM roles in scopes. For each application type, such as kaas, k8s, or sl, Container Cloud creates a set of roles such as @admin, @cluster-admin, @reader, @writer, @operator.

Depending on the role, you can perform specific operations in a Container Cloud cluster. For example:

  • With the m:kaas@writer role, you can create a project using the Container Cloud web UI. The corresponding project-specific roles will be automatically created in Keycloak by iam-controller.

  • With the m:kaas* roles, you can download the kubeconfig of the management cluster.

The semantic structure of role naming in Container Cloud is as follows:

Role naming semantic structure




Prefix for all IAM roles in Container Cloud


Application type:

  • kaas for the management cluster and Container Cloud API

  • k8s for the managed cluster

  • sl for StackLight


Namespace name, is optional depending on the application type


Managed cluster name, is optional depending on the application type


Delimiter between a scope and role


Short name of a role within a scope

This section outlines the IAM roles and scopes structure in Container Cloud and role assignment to users using the Keycloak Admin Console.