Manage identity with Anthos Identity Service

Anthos clusters on AWS supports OpenID Connect (OIDC) and AWS IAM as an authentication mechanism for interacting with a cluster's Kubernetes API server, using Anthos Identity Service. Anthos Identity Service is an authentication service that lets you bring your existing identity solutions for authentication to multiple Anthos environments. Users can log in to and use your Anthos clusters from the command line or from the Google Cloud console, all using your existing identity provider.

For an overview of how Anthos Identity Service works, see Introducing Anthos Identity Service.

If you already use or want to use Google identities to log in to your Anthos clusters, we recommend using the gcloud containers aws clusters get-credentials command for authentication. Find out more in Connect and authenticate to your cluster.

OpenID Connect authentication

Before you begin

  1. To use OIDC authentication, users must be able to connect to the cluster's control plane. See Connect to your cluster's control plane.

  2. To authenticate through the Google Cloud console, you must register each cluster that you want to configure with your project fleet. For Anthos clusters on AWS, this is automatic once you have created a node pool.

  3. To allow users to authenticate through the Google Cloud console, ensure that all clusters you want to configure are registered with your project fleet. For Anthos clusters on AWS, this is automatic once you have created a node pool.

Setup process and options

  1. Register Anthos Identity Service as a client with your OIDC provider following the instructions in Configuring providers for Anthos Identity Service.

  2. Choose from the following cluster configuration options:

  3. Set up user access to your clusters, including role-based access control (RBAC), following the instructions in Setting up user access for Anthos Identity Service.

Accessing clusters

After Anthos Identity Service has been set up on a cluster, users can log in to clusters using either the command line or the Google Cloud console.

AWS IAM authentication

The AWS IAM support on Anthos clusters on AWS uses Anthos Identity Service.

Before you begin

To use AWS IAM authentication, users must be able to connect to the cluster's control plane. See Connect to your cluster's control plane.

Setup process and options

To configure your cluster to allow AWS IAM authentication for a particular AWS region, do the following:

  1. Edit the ClientConfig resource on your cluster:

    kubectl --kubeconfig=KUBECONFIG_PATH edit ClientConfigs default -n kube-public

    Replace KUBECONFIG_PATH with the path to your cluster's kubeconfig file—for example $HOME/.kube/config.

    Your text editor loads your cluster's ClientConfig resource. Add the spec.authentication.aws object as shown below. Do not modify any default data that has already been written.

    apiVersion: authentication.gke.io/v2alpha1
kind: ClientConfig
metadata:
  name: default
  namespace: kube-public
spec:
  authentication:
  - name: NAME
    aws:
      region: AWS_REGION

    Replace the following:

    • NAME: an arbitrary name of this authentication method. e.g. "aws-iam".
    • AWS_REGION: the AWS region where the user info is retrieved. It needs to match the region configured on your users' AWS CLI.

  2. To enable your cluster users to use AWS IAM, follow Setting up user access for Anthos Identity Service.

Accessing clusters

After Anthos Identity Service has been set up on a cluster, users can log in to clusters using either the command line or the Google Cloud console.

To learn how to log in to registered clusters with your AWS IAM identity, see Accessing clusters using Anthos Identity Service.