The product described by this documentation, Anthos Clusters on AWS (previous generation), is now in maintenance mode. All new installs must use the current generation product, Anthos clusters on AWS.

Authentication

Anthos clusters on AWS (GKE on AWS) supports the following authentication methods:

  • Connect
  • OpenID Connect (OIDC).

Connect

To log in using the Google Cloud console with Connect, Anthos clusters on AWS can use a Kubernetes service account's bearer token. For more information, see Logging in to a cluster from the Cloud console.

The Kubernetes API server and the ID token

After authenticating with the cluster, you can interact using the kubectl CLI of gcloud CLI. When kubectl calls the Kubernetes API server on behalf of the user, the API server verifies the token by using the OpenID provider's public certificate. Then the API server parses the token to learn the user's identity and the user's security groups.

The API server determines whether the user is authorized to make this particular call by comparing the user's security groups to the cluster's role-based Access Control (RBAC) policy.

OIDC

Anthos clusters on AWS supports OIDC authentication with the Anthos Identity Service. Anthos Identity Service supports many identity providers. For more information, see Supported identity providers.

Overview

With OIDC, you can manage access to a cluster with the standard procedures in your organization for creating, enabling, and disabling employee accounts. You can also use your organization's security groups to configure access to a Kubernetes cluster or to specific services in the cluster.

A typical OIDC login flow follows:

  • A user signs in to an OpenID provider by presenting a username and password.

  • The OpenID provider signs and issues an ID token for the user.

  • The gcloud CLI sends an HTTPS request to the Kubernetes API server. The application includes the user's ID token in the request header.

  • The Kubernetes API server verifies the token by using the provider's certificate.

Signing in with the gcloud CLI

You run the gcloud anthos auth login command to authenticate with your clusters. The gcloud CLI authenticates your request to the Kubernetes API server.

To use the gcloud CLI, your OIDC ID tokens must be stored in the kubeconfig file. You add tokens to your kubeconfig file with gcloud anthos create-login-config. Anthos clusters on AWS uses the gcloud CLI to request and obtain the ID token and other OIDC values in the kubeconfig file.