Google Distributed Cloud (GDC) 에어 갭 어플라이언스에서 가상 머신 (VM)에 대한 작업을 실행하려면 적절한 ID 및 액세스(IAM) 역할과 권한이 있어야 합니다.
GDC 에어갭 어플라이언스는 특정 GDC 에어갭 어플라이언스 리소스에 대한 세분화된 액세스를 위한 ID 및 액세스 관리 (IAM)를 제공하고 다른 리소스에 대한 무단 액세스를 방지합니다. IAM은 최소 권한의 보안 원칙에 따라 작동하며 누가(ID) 어떤 권한(역할)을 갖고 어떤 리소스에 액세스할 수 있는지를 제어합니다. 가상 머신 (VM)을 사용하려면 필요한 역할과 권한이 할당되어 있어야 합니다.
시작하기 전에
gdcloud CLI 명령어를 사용하려면 gdcloud 명령줄 인터페이스 (CLI) 섹션의 필수 단계를 완료하세요. Google Distributed Cloud 오프라인 어플라이언스의 모든 명령어는 gdcloud 또는 kubectl CLI를 사용하며 운영체제 (OS) 환경이 필요합니다.
생성된 파일의 경로를 기록합니다. 다음은 녹화할 경로의 예입니다. /tmp/admin-kubeconfig-with-user-identity.yaml
이 안내에서 MANAGEMENT_API_SERVER를 대체하는 경로를 사용하세요.
IAM 정보
GDC 에어갭 어플라이언스는 특정 GDC 에어갭 어플라이언스 리소스에 대한 세분화된 액세스를 위한 ID 및 액세스 관리 (IAM)를 제공하고 다른 리소스에 대한 무단 액세스를 방지합니다. IAM은 최소 권한의 보안 원칙에 따라 작동하며 IAM 역할과 권한을 사용하여 특정 리소스에 대한 권한이 있는 사용자를 제어합니다.
로그인의 IAM 문서를 읽어보세요. 여기에는 GDC 콘솔 또는 gdcloud CLI에 로그인하고 kubectl를 사용하여 워크로드에 액세스하는 방법이 설명되어 있습니다.
VM 리소스에 대한 사전 정의된 역할
프로젝트에서 VM과 VM 디스크를 만들려면 특정 프로젝트의 프로젝트 IAM 관리자에게 적절한 권한을 요청하세요. 가상 머신을 관리하려면 프로젝트 IAM 관리자가 다음 사전 정의된 역할을 할당해야 합니다.
프로젝트 VirtualMachine 관리자: 프로젝트 네임스페이스의 VM을 관리합니다.
프로젝트 VirtualMachine 이미지 관리자: 프로젝트 네임스페이스의 VM 이미지를 관리합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eBefore performing tasks on virtual machines (VMs) in Google Distributed Cloud (GDC) air-gapped appliance, users must have the necessary Identity and Access Management (IAM) roles and permissions assigned.\u003c/p\u003e\n"],["\u003cp\u003eGDC air-gapped appliance uses IAM to provide granular access to resources based on the principle of least privilege, ensuring that users only have the permissions they need.\u003c/p\u003e\n"],["\u003cp\u003eProject IAM Admins can assign predefined roles such as "Project VirtualMachine Admin" or "Project VirtualMachine Image Admin" to manage VMs and VM images within a specific project.\u003c/p\u003e\n"],["\u003cp\u003eTo verify VM creation permissions, you can use the \u003ccode\u003ekubectl\u003c/code\u003e command with the \u003ccode\u003eauth can-i\u003c/code\u003e check, replacing variables with the \u003ccode\u003eadmin cluster kubeconfig\u003c/code\u003e path and the respective project name.\u003c/p\u003e\n"],["\u003cp\u003eUsers can also verify access to project-level VM images using \u003ccode\u003ekubectl\u003c/code\u003e, which will let them know whether they have the required permissions to view or create those images.\u003c/p\u003e\n"]]],[],null,["# IAM permissions preparation\n\nBefore you perform tasks on virtual machines (VM) in\nGoogle Distributed Cloud (GDC) air-gapped appliance, you must have the proper identity and access\n(IAM) roles and permissions.\n\nGDC air-gapped appliance offers Identity and Access Management (IAM) for\ngranular access to specific GDC air-gapped appliance resources and prevents\nunwanted access to other resources. IAM operates on the security\nprinciple of least privilege and provides control over *who* , or identity, has\n*which permissions*, or roles, and to which resources. You must have the necessary\nroles and permissions assigned to you before you can work with virtual machines (VMs).\n\nBefore you begin\n----------------\n\nTo use gdcloud CLI commands, complete the required steps from the\n[gdcloud command-line interface (CLI)](/distributed-cloud/hosted/docs/latest/appliance/resources/gdcloud-overview)\nsections. All commands for Google Distributed Cloud air-gapped appliance use the\n`gdcloud` or `kubectl` CLI, and require an operating system (OS) environment.\n\n### Get the kubeconfig file paths\n\n1. Run [`gdcloud auth login`](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/iam/sign-in#sign-in)\n to the **Management API server**.\n\n 1. Record the path to the generated file. The following is an example of the\n path to record: \n\n `/tmp/admin-kubeconfig-with-user-identity.yaml`.\n\n 2. Use the path to replace \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e in\n these instructions.\n\nAbout IAM\n---------\n\nGDC air-gapped appliance offers Identity and Access Management (IAM) for\ngranular access to specific GDC air-gapped appliance resources and prevents\nunwanted access to other resources. IAM operates on the security\nprinciple of least privilege and provides control over who has permission\nto given resources using IAM roles and permissions.\n\nRead the IAM documentation in\n[Sign in](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/iam/sign-in), which provides\ninstructions for signing in to the GDC console or the\ngdcloud CLI and using `kubectl` to access your workloads.\n\n### Predefined roles to VM resources\n\nTo create VMs and VM disks in a project, request the appropriate permissions\nfrom your Project IAM Admin for a given project. To manage virtual machines,\nyour Project IAM Admin can assign you the following predefined roles:\n\n- **Project VirtualMachine Admin**: Manages VMs in the project namespace.\n- **Project VirtualMachine Image Admin**: Manages VM images in the project namespace.\n\nFor a list of all predefined roles for Application Operators (AO), see\n[Role descriptions](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/iam/role-descriptions).\n\nThe following are predefined common roles for VMs. For details on common roles,\nsee\n[Common roles](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/iam/role-descriptions#common_roles).\n\n- **VM type viewer**: has read access to predefined VM types.\n- **Public image viewer**: has read access to images GDC air-gapped appliance provides.\n\nTo grant or receive access to VM resources, see\n[Grant access to project resources](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/iam/role-bindings).\n\nVerify user access to VM resources\n----------------------------------\n\n1. [Log in](/distributed-cloud/hosted/docs/latest/appliance/application/ao-user/iam/sign-in#cli) as the\n user requesting or verifying permissions.\n\n2. Verify whether you, or the user, can create virtual machines:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e auth can-i create virtualmachines.virtualmachine.gdc.goog -n \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n Replace the variables by using the following definitions.\n\n If the output is `yes`, you have permissions to create a VM in the\n project \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e. \n\n If the output is `no`, you don't have permissions. Contact your Project\n IAM Admin and request assignment to the Project VirtualMachine Admin\n (`project-vm-admin`) role.\n3. Optional: Verify whether users have access to project-level VM images and whether they can create and use\n `VirtualMachineImage` resources at the project level:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e auth can-i get virtualmachineimages.virtualmachine.gdc.goog -n \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e auth can-i create virtualmachineimageimports.virtualmachine.gdc.goog -n \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n Replace the variables by using the following definitions.\n\n - If the output is `yes`, the user has permissions to access custom VM images in the project \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e.\n - If the output is `no`, you don't have permissions. Contact your Project IAM Admin role and request assignment to the Project VirtualMachine Image Admin (`project-vm-image-admin`) role."]]