This page describes how Google Cloud manages AWS Identity and Access Management (IAM) permissions and roles for your GKE on AWS.
GKE on AWS uses the AWS API to create resources such as EC2 instances, auto-scaling groups, and load balancers for both GKE on AWS components and your workloads. You must provide Google Cloud with AWS IAM permissions to create these resources.
How GKE on AWS accesses the AWS API
GKE on AWS uses identity federation in AWS to manage fine-grained access to your AWS account. When GKE on AWS needs to take an action for your cluster, it requests a short-lived token from AWS. The GKE Multi-Cloud API role uses this token to authenticate to AWS.
Service agents
In order to grant Google Cloud access to create, update, delete, and
manage clusters in your AWS account, GKE on AWS creates a
Service agent in your Google Cloud project. The
service agent is a
Google-managed service account that
uses the GKE Multi-Cloud API AWS IAM role.
You must create an AWS IAM role for the
service agent in each Google Cloud project where you manage GKE clusters from.
The service agent uses the email address
service-PROJECT_NUMBER@gcp-sa-gkemulticloud.iam.gserviceaccount.com
.
For more information on the Google Cloud IAM permissions,
see
Anthos Multi-Cloud Service Agent.
AWS IAM permissions for GKE on AWS
You can create roles that use default AWS IAM roles, or create your own custom AWS IAM policies that meet your organization's requirements.
Use default policies
An AWS IAM policy is a collection of permissions. To grant permissions to create and manage clusters, you must first create AWS IAM policies for the following roles:
- GKE Multi-Cloud API service agent role
- The GKE Multi-Cloud API uses this AWS IAM role to manage resources using AWS APIs. This role is used by a Google-managed service account known as a service agent.
- Control plane AWS IAM role
- Your cluster control plane uses this role to control node pools.
- Node pool AWS IAM role
- The control plane uses this role to create node pool VMs.
To use suggested AWS IAM roles for GKE on AWS to manage clusters, see Create AWS IAM roles.
Create custom IAM policies
To further restrict permissions, instead of using suggested policies you can create custom AWS IAM policies that allow GKE on AWS. For example, you can restrict permissions to permissions to resources with a certain tag, or resources in a specific AWS VPC
Controlling access with tags
You can restrict AWS IAM policies to to allow actions only on a limited set of resources, using AWS tags. Any role with that tag specified in its condition field will be restricted to operating on resources with the same tag. You can use this to restrict administrative roles to acting on resources in a specific cluster or node pool.
To restrict an AWS IAM policy to apply only to resources with a specific tag,
include the tag's value in the Condition
field of the policy, then pass the
tag value when you create your cluster and node pools. GKE on AWS
applies this tag when it creates resources.
For more information on tags, see Tagging AWS resources. For more information on using tags with an AWS policy, see Controlling access to AWS resources.
For more on creating cluster resources with a particular tag, see the
gcloud container aws clusters create
and
gcloud container aws node-pools create
reference documentation.
For a list of specific permissions that GKE on AWS needs for each policy, see the AWS IAM role list.