When an application sends a request to an attached cluster through Connect, it must pass through three security checkpoints.
The request first goes to the Google Cloud API connectgateway.googleapis.com API, which verifies that the caller is authorized to use that API.
If authorized, the request is then passed to the connect gateway for Google Cloud IAM authorization.
If this succeeds, the request is passed to the connect gateway to the cluster's kube-api server for RBAC authorization.
If all of these checks are successful, then the cluster's kube-apiserver will serve the request.
See Grant IAM roles to users for instructions on granting IAM roles to cluster users with the Connect Gateway.