This page describes how Anthos clusters on AWS handles authentication to Google Cloud and user authentication to your clusters.
How Anthos connects to AWS
For more information on how Anthos uses AWS IAM roles to connect to AWS, see AWS IAM roles.
Anthos Multi-Cloud API authentication
You use the Anthos Multi-Cloud API to create, update, and delete clusters and node pools. As with other Google Cloud APIs, you can use this API with REST, Google Cloud CLI, or the Google Cloud console.
Kubernetes API authentication
You can use the
kubectl command-line tool to perform cluster operations such
as deploying a workload and configuring a load balancer. The
connects to the Kubernetes API on your cluster's control plane. To call this
API, you need to authenticate with authorized credentials.
To get credentials, you can use one of the following methods:
Google Identity, which lets users log in using their Google Cloud identity. Use this option if your users already have access to Google Cloud with a Google Identity.
GKE Identity Service, which lets users log in using OpenID Connect (OIDC) or AWS IAM.
Anthos clusters have two methods for access control, the Anthos Multi-Cloud API and role-based access control (RBAC). This section describes the differences between these methods.
It's best to take a layered approach to protecting your clusters and workloads. You can apply the principle of least privilege to the level of access that you provide to your users and workloads. You might need to make tradeoffs to allow the right level of flexibility and security.
Anthos Multi-Cloud API access control
The Anthos Multi-Cloud API lets cluster administrators create, update, and delete clusters and node pools. You manage permissions for the API with Identity and Access Management (IAM). To use the API, users must have the appropriate permissions. For the permissions necessary for each operation, see API roles and permissions. IAM lets you define roles and assign them to principals. A role is a collection of permissions, and when assigned to a principal, controls access to one or more Google Cloud resources.
When you create a cluster or node pool in an organization, folder, or project, users with appropriate permissions in that organization, folder, or project can modify it. For example, if you give a user a cluster deletion permission at a Google Cloud project level, that user can delete any cluster in that project. For more information, see Google Cloud resource hierarchy and Creating IAM policies.
Kubernetes API access control
The Kubernetes API lets you manage Kubernetes objects. To manage access control on the Kubernetes API, you use role-based access control (RBAC). For more information, see Configuring role-based access control in the GKE documentation.
When you use the gcloud CLI to create a cluster, by default the
Anthos Multi-Cloud API adds your user account as an administrator and creates
appropriate RBAC policies that grant you full administrative access to the
cluster. To configure different users, pass the
flag when you create or update a cluster. When you use the
you must include all users that can administer the cluster. The
gcloud CLI doesn't include the user that creates the cluster.
You can also add admin users using the Google Cloud console. For more information, see Update your cluster.
To see the configuration of your cluster's access, run the following command:
kubectl describe clusterrolebinding gke-multicloud-cluster-admin
In addition to the RBAC policies to access the Kubernetes API server, if an admin user isn't a project owner, you need to grant specific IAM roles that let the admin users authenticate using their Google identity. For more information about how to connect to the cluster, see Connect and authenticate to your cluster.
- To set up OIDC, see Manage identity with GKE Identity Service.
- Connect and authenticate to your cluster.