Stay organized with collections
Save and categorize content based on your preferences.
GKE Identity Service overview
GKE Identity Service is an authentication service that integrates
with your existing identity solutions, allowing you to use these identity solutions across multiple
GKE Enterprise environments. Users can access and manage your GKE clusters
from the command line or from the Google Cloud console, all using your existing
identity provider.
GKE Identity Service supports the following identity provider protocols
to verify and authenticate users when they try to access resources or services:
OpenID Connect (OIDC): OIDC is a modern, lightweight
authentication protocol built on top of the OAuth 2.0 authorization framework. We
provide specific instructions for setup of some popular OpenID Connect providers,
including Microsoft, but you can use any provider that implements OIDC.
Security Assertion Markup Language (SAML): SAML is an XML-based standard for exchanging authentication and authorization data between parties,
primarily between an identity provider (IdP) and a service provider (SP). You
can use GKE Identity Service to authenticate using SAML.
Lightweight Directory Access Protocol (LDAP): LDAP is a mature,
standardized protocol for accessing and managing directory information services.
It's commonly used to store and retrieve user information, such as usernames,
passwords, and group memberships. You can use GKE Identity Service to
authenticate using LDAP with Active Directory or an LDAP server.
Supported cluster types
Protocol
GDC (VMware)
GDC (bare metal)
GKE on AWS
GKE on Azure
EKS attached clusters
GKE on Google Cloud
OIDC
LDAP
SAML
Other attached cluster types are not supported for use with GKE Identity Service.
Setup process
Setting up GKE Identity Service for your clusters involves the following users and process steps:
Configure providers:
The platform administrator registers GKE Identity Service as a client
application with their preferred identity provider and gets a client ID and secret.
Set up individual clusters
or set up your fleet:
The cluster administrator sets up clusters for your identity service. You can
set up GKE Identity Service on a cluster by cluster basis for GKE clusters
on-premises (both VMware and bare metal), on AWS, and on Azure. Alternatively,
you can choose to set up GKE Identity Service for a fleet, which is a
logical group of clusters that lets you enable functionality and update
configuration across these clusters.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[],[],null,["# GKE Identity Service overview\n=============================\n\nGKE Identity Service is an authentication service that integrates\nwith your existing identity solutions, allowing you to use these identity solutions across multiple\nGKE Enterprise environments. Users can access and manage your GKE clusters\nfrom the command line or from the Google Cloud console, all using your existing\nidentity provider.\n\nIf you prefer to use Google IDs to log in to your GKE clusters instead of\nan identity provider, see [Connect to registered clusters with the Connect gateway](/kubernetes-engine/enterprise/multicluster-management/gateway).\n\nSupported identity providers\n----------------------------\n\nGKE Identity Service supports the following identity provider protocols\nto verify and authenticate users when they try to access resources or services:\n\n- [OpenID Connect (OIDC)](https://openid.net/connect/): OIDC is a modern, lightweight authentication protocol built on top of the OAuth 2.0 authorization framework. We provide specific instructions for setup of some popular OpenID Connect providers, including Microsoft, but you can use any provider that implements OIDC.\n- [Security Assertion Markup Language (SAML)](https://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html): SAML is an XML-based standard for exchanging authentication and authorization data between parties, primarily between an identity provider (IdP) and a service provider (SP). You can use GKE Identity Service to authenticate using SAML.\n- [Lightweight Directory Access Protocol (LDAP)](https://ldap.com/): LDAP is a mature, standardized protocol for accessing and managing directory information services. It's commonly used to store and retrieve user information, such as usernames, passwords, and group memberships. You can use GKE Identity Service to authenticate using LDAP with Active Directory or an LDAP server.\n\nSupported cluster types\n-----------------------\n\nOther attached cluster types are not supported for use with GKE Identity Service.\n| **Note:** Authentication using LDAP is supported for user clusters only in VMware deployments of Google Distributed Cloud. Admin clusters on VMware cannot use LDAP providers with GKE Identity Service.\n\nSetup process\n-------------\n\nSetting up GKE Identity Service for your clusters involves the following users and process steps:\n\n1. **[Configure providers](/kubernetes-engine/enterprise/identity/setup/idp-overview)** : The *platform administrator* registers GKE Identity Service as a client application with their preferred identity provider and gets a *client ID* and *secret*.\n2. **[Set up individual clusters](/kubernetes-engine/enterprise/identity/setup/per-cluster-overview)** or **[set up your fleet](/kubernetes-engine/enterprise/identity/setup/fleet)** : The *cluster administrator* sets up clusters for your identity service. You can set up GKE Identity Service on a cluster by cluster basis for GKE clusters on-premises (both VMware and bare metal), on AWS, and on Azure. Alternatively, you can choose to set up GKE Identity Service for a fleet, which is a logical group of clusters that lets you enable functionality and update configuration across these clusters.\n3. **[Set up user access](/kubernetes-engine/enterprise/identity/setup/user-access)** : The *cluster administrator* sets up user login access to authenticate to the clusters using the [FQDN access](/kubernetes-engine/enterprise/identity/setup/user-access#fqdn-access) (recommended) or [file-based access](/kubernetes-engine/enterprise/identity/setup/user-access#file-access) approach, and optionally configures *Kubernetes [role-based access control (RBAC)](/kubernetes-engine/enterprise/identity/setup/setup-rbac)* for users on these clusters."]]
