This page describes how Google Cloud manages AWS Identity and Access Management (IAM) permissions and roles for your Anthos clusters on AWS.
Anthos clusters on AWS uses the AWS API to create resources such as EC2 instances, auto-scaling groups, and load balancers for both Anthos clusters on AWS components and your workloads. You must provide Google Cloud with AWS IAM permissions to create these resources.
How Anthos clusters on AWS accesses the AWS API
Anthos clusters on AWS uses identity federation in AWS to manage fine-grained access to your AWS account. When Anthos clusters on AWS needs to take an action for your cluster, it requests a short-lived token from AWS. The Anthos Multi-Cloud API role uses this token to authenticate to AWS.
In order to grant Google Cloud access to create, update, delete, and
manage clusters in your AWS account, Anthos clusters on AWS creates a
Service agent in your Google Cloud project. The
service agent is a
Google-managed service account that
uses the Anthos Multi-Cloud API AWS IAM role.
You must create an AWS IAM role for the
service agent in each Google Cloud project where you manage Anthos clusters from.
The service agent uses the email address
For more information on the Google Cloud IAM permissions,
Anthos Multi-Cloud Service Agent.
AWS IAM permissions for Anthos clusters on AWS
You can create roles that use default AWS IAM roles, or create your own custom AWS IAM policies that meet your organization's requirements.
Use default policies
An AWS IAM policy is a collection of permissions. To grant permissions to create and manage clusters, you must first create AWS IAM policies for the following roles:
- Anthos Multi-Cloud API service agent role
- The Anthos Multi-Cloud API uses this AWS IAM role to manage resources using AWS APIs. This role is used by a Google-managed service account known as a service agent.
- Control plane AWS IAM role
- Your cluster control plane uses this role to control node pools.
- Node pool AWS IAM role
- The control plane uses this role to create node pool VMs.
To use suggested AWS IAM roles for Anthos clusters on AWS to manage clusters, see Create AWS IAM roles.
Create custom IAM policies
To further restrict permissions, instead of using suggested policies you can create custom AWS IAM policies that allow Anthos clusters on AWS. For example, you can restrict permissions to permissions to resources with a certain tag, or resources in a specific AWS VPC
Controlling access with tags
You can restrict AWS IAM policies to to allow actions only on a limited set of resources, using AWS tags. Any role with that tag specified in its condition field will be restricted to operating on resources with the same tag. You can use this to restrict administrative roles to acting on resources in a specific cluster or node pool.
To restrict an AWS IAM policy to apply only to resources with a specific tag,
include the tag's value in the
Condition field of the policy, then pass the
tag value when you create your cluster and node pools. Anthos clusters on AWS
applies this tag when it creates resources.
For a list of specific permissions that Anthos clusters on AWS needs for each policy, see the AWS IAM role list.