Google Distributed Cloud (GDC) 오프라인에서 가상 머신 (VM) 작업을 실행하려면 적절한 ID 및 액세스(IAM) 역할과 권한이 있어야 합니다.
시작하기 전에
gdcloud CLI 명령어를 사용하려면 gdcloud 명령줄 인터페이스 (CLI) 섹션의 필수 단계를 완료하세요. Google Distributed Cloud 에어 갭의 모든 명령어는 gdcloud 또는 kubectl CLI를 사용하며 운영체제 (OS) 환경이 필요합니다.
관리 API 서버의 kubeconfig 파일 경로를 사용하여 이 안내의 MANAGEMENT_API_SERVER를 바꿉니다.
IAM 정보
Distributed Cloud는 특정 Distributed Cloud 리소스에 대한 세분화된 액세스를 위한 Identity and Access Management (IAM)를 제공하고 다른 리소스에 대한 무단 액세스를 방지합니다. IAM은 최소 권한의 보안 원칙에 따라 작동하며 IAM 역할과 권한을 사용하여 특정 리소스에 대한 권한이 있는 사용자를 제어합니다.
로그인의 IAM 문서를 읽어보세요. 여기에는 GDC 콘솔 또는 gdcloud CLI에 로그인하고 kubectl를 사용하여 워크로드에 액세스하는 방법이 설명되어 있습니다.
VM 리소스에 대한 사전 정의된 역할
프로젝트에서 VM과 VM 디스크를 만들려면 특정 프로젝트의 프로젝트 IAM 관리자에게 적절한 권한을 요청하세요. 모든 VM 역할은 VM이 상주하는 프로젝트의 네임스페이스에 바인드되어야 합니다. 가상 머신을 관리하려면 프로젝트 IAM 관리자가 다음 사전 정의된 역할을 할당해야 합니다.
프로젝트 VirtualMachine 관리자project-vm-admin: 프로젝트 네임스페이스의 VM을 관리합니다.
프로젝트 VirtualMachine 이미지 관리자project-vm-image-admin: 프로젝트 네임스페이스의 VM 이미지를 관리합니다.
[[["이해하기 쉬움","easyToUnderstand","thumb-up"],["문제가 해결됨","solvedMyProblem","thumb-up"],["기타","otherUp","thumb-up"]],[["이해하기 어려움","hardToUnderstand","thumb-down"],["잘못된 정보 또는 샘플 코드","incorrectInformationOrSampleCode","thumb-down"],["필요한 정보/샘플이 없음","missingTheInformationSamplesINeed","thumb-down"],["번역 문제","translationIssue","thumb-down"],["기타","otherDown","thumb-down"]],["최종 업데이트: 2025-09-04(UTC)"],[[["\u003cp\u003eProper Identity and Access Management (IAM) roles and permissions are required before performing tasks on virtual machines (VMs) in Google Distributed Cloud (GDC) air-gapped.\u003c/p\u003e\n"],["\u003cp\u003eTo manage virtual machines in a project, a Project IAM Admin can assign the "Project VirtualMachine Admin" role, while managing VM images require the "Project VirtualMachine Image Admin" role.\u003c/p\u003e\n"],["\u003cp\u003eUsers can verify their permissions to create VMs or access VM images within a specific project using \u003ccode\u003ekubectl\u003c/code\u003e commands and checking for a "yes" or "no" output.\u003c/p\u003e\n"],["\u003cp\u003eGDC offers IAM for granular access control to resources, ensuring that only authorized users can access specific resources, adhering to the principle of least privilege.\u003c/p\u003e\n"]]],[],null,["# IAM permissions preparation\n\nBefore you perform tasks on virtual machines (VM) in\nGoogle Distributed Cloud (GDC) air-gapped, you must have the proper identity and access\n(IAM) roles and permissions.\n\nBefore you begin\n----------------\n\nTo use gdcloud CLI commands, complete the required steps from the\n[gdcloud command-line interface (CLI)](/distributed-cloud/hosted/docs/latest/gdch/resources/gdcloud-overview)\nsections. All commands for Google Distributed Cloud air-gapped use the\n`gdcloud` or `kubectl` CLI, and require an operating system (OS) environment.\n\n### Get the kubeconfig file path\n\nTo run commands against the Management API server, ensure you have the following\nresources:\n\n1. [Sign in and generate](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/sign-in#cli) the\n kubeconfig file for the Management API server if you don't have one.\n\n2. Use the path to the kubeconfig file of the Management API server to replace\n \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e in these instructions.\n\nAbout IAM\n---------\n\nDistributed Cloud offers Identity and Access Management (IAM) for\ngranular access to specific Distributed Cloud resources and prevents\nunwanted access to other resources. IAM operates on the security\nprinciple of least privilege and provides control over who has permission\nto given resources using IAM roles and permissions.\n\nRead the IAM documentation in\n[Sign in](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/sign-in), which provides\ninstructions for signing in to the GDC console or the\ngdcloud CLI and using `kubectl` to access your workloads.\n\n### Predefined roles to VM resources\n\nTo create VMs and VM disks in a project, request the appropriate permissions\nfrom your Project IAM Admin for a given project. All VM roles must bind to the\nnamespace of the project where the VM resides. To manage virtual machines,\nyour Project IAM Admin can assign you the following predefined roles:\n\n- **Project VirtualMachine Admin** `project-vm-admin`: Manages VMs in the project namespace.\n- **Project VirtualMachine Image Admin** `project-vm-image-admin`: Manages VM images in the project namespace.\n\nFor a list of all predefined roles for Application Operators (AO), see\n[Role descriptions](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/role-descriptions).\n\nThe following are predefined common roles for VMs. For details on common roles,\nsee\n[Common roles](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/role-descriptions#common_roles).\n\n- **VM type viewer** `vm-type-viewer`: has read access to predefined VM types.\n- **Public image viewer** `public-image-viewer`: has read access to images GDC provides.\n\nTo grant or receive access to VM resources, see\n[Grant access to project resources](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/role-bindings).\n\nVerify user access to VM resources\n----------------------------------\n\n1. [Log in](/distributed-cloud/hosted/docs/latest/gdch/application/ao-user/iam/sign-in#cli) as the\n user requesting or verifying permissions.\n\n2. Verify whether you, or the user, can create virtual machines:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e auth can-i create virtualmachines.virtualmachine.gdc.goog -n \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n Replace the variables by using the following definitions.\n\n - If the output is `yes`, you have permissions to create a VM in the project \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e.\n - If the output is `no`, you don't have permissions. Contact your Project IAM Admin and request assignment to the Project VirtualMachine Admin (`project-vm-admin`) role in the namespace of the project where the VM resides.\n3. Optional: Verify whether users have access to project-level VM images. For\n example, run the following commands to verify if they can create and use\n `VirtualMachineImage` resources at the project level:\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e auth can-i get virtualmachineimages.virtualmachine.gdc.goog -n \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n kubectl --kubeconfig \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER\u003c/var\u003e auth can-i create virtualmachineimageimports.virtualmachine.gdc.goog -n \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e\n\n Replace the variables by using the following definitions.\n\n - If the output is `yes`, the user has permissions to access custom VM images in the project \u003cvar translate=\"no\"\u003ePROJECT\u003c/var\u003e.\n - If the output is `no`, you don't have permissions. Contact your Project IAM Admin role and request assignment to the Project VirtualMachine Image Admin (`project-vm-image-admin`) role in the namespace of the project where the VM resides."]]