Stay organized with collections
Save and categorize content based on your preferences.
This document describes how you can connect to GKE on AWS as a member of a
Google group.
Using Google groups to grant cluster access is more efficient than creating
separate authorizations for individual users. For example, let's say you want
to add 50 users to the cluster Administrator group, 75 users to an Editor group,
and 100 users to a Reader group. Enabling all these users to connect to your
cluster would require you to create RBAC rules in the Kubernetes manifest file
for 225 users. Enabling access to your cluster with Google groups, however
saves you time because you only need to create RBAC rules for three Google
groups.
Before you begin
To connect to your cluster as a member of a Google group, you need to satisfy
the following prerequisites:
Ensure that you have the latest version of the Google Cloud CLI. For
information on updating gcloud CLI, see
gcloud components update.
Use GKE on AWS version 1.25 or above, which is required for kubectl
access using connect gateway.
Connect to your cluster with Google groups
To authorize Google groups to connect to GKE on AWS, follow these
steps:
Enable the connectgateway and cloudresourcemanager APIs
with the following command:
Replace PROJECT_ID with the ID of your
AWS project.
Create a group called gke-security-groups as a group in your project's
domain if it doesn't exist.
Create one or more sub-groups within the gke-security-groups group for
cluster authentication.
Add users to the newly created sub-groups.
For kubectl access using connect gateway, you need to grant
IAM roles to Google groups:
Select an appropriate role for a group. This role determines how the
group interacts with the connect gateway. The role can be
one of the following: roles/gkehub.gatewayAdmin,
roles/gkehub.gatewayEditor, roles/gkehub.gatewayReader.
(Note that you're not granting
permissions over the cluster here - that step comes later.
Here, you're just determining how users of the group can manipulate
the connect gateway.)
Run the following command to grant the role to the group:
GROUP_NAME: the name of the group to grant
access to
DOMAIN: your Google Workspace domain
GATEWAY_ROLE: the selected role. For example
roles/gkehub.gatewayAdmin, roles/gkehub.gatewayEditor, or
roles/gkehub.gatewayReader.
In a Kubernetes manifest, define the permissions each Google group
has on the cluster. For example, the following manifest grants the Google
Group cluster-admin-team the role of cluster administrator:
Save the manifest to a file and apply it to the cluster by running the
following command:
kubectlapply-kubeconfig=KUBECONFIG_PATH-fFILENAME
Replace the following:
KUBECONFIG_PATH: the path to your kubeconfig
file.
FILENAME: the name of the manifest file you
created.
Once you've performed these steps, users belonging to certain Google groups can
connect to the cluster. In the given example, users belonging to the Google
group cluster-admin-team can connect to the cluster as administrators.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Connect Google groups to GKE on AWS\n\nThis document describes how you can connect to GKE on AWS as a member of a\n[Google group](/iam/docs/groups-in-cloud-console).\n\nUsing Google groups to grant cluster access is more efficient than creating\nseparate authorizations for individual users. For example, let's say you want\nto add 50 users to the cluster Administrator group, 75 users to an Editor group,\nand 100 users to a Reader group. Enabling all these users to connect to your\ncluster would require you to create RBAC rules in the Kubernetes manifest file\nfor 225 users. Enabling access to your cluster with Google groups, however\nsaves you time because you only need to create RBAC rules for three Google\ngroups.\n\nBefore you begin\n----------------\n\nTo connect to your cluster as a member of a Google group, you need to satisfy\nthe following prerequisites:\n\n1. Ensure that you have the latest version of the Google Cloud CLI. For\n information on updating gcloud CLI, see\n [`gcloud components update`](/sdk/gcloud/reference/components/update).\n\n2. Use GKE on AWS version 1.25 or above, which is required for `kubectl`\n access using connect gateway.\n\nConnect to your cluster with Google groups\n------------------------------------------\n\nTo authorize Google groups to connect to GKE on AWS, follow these\nsteps:\n\n1. Enable the `connectgateway` and `cloudresourcemanager` APIs\n with the following command:\n\n gcloud services enable --project=\u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n connectgateway.googleapis.com \\\n cloudresourcemanager.googleapis.com\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with the ID of your\n AWS project.\n2. Create a group called `gke-security-groups` as a group in your project's\n domain if it doesn't exist.\n\n3. Create one or more sub-groups within the `gke-security-groups` group for\n cluster authentication.\n\n4. Add users to the newly created sub-groups.\n\n5. For `kubectl` access using connect gateway, you need to grant\n IAM roles to Google groups:\n\n 1. Select an appropriate role for a group. This role determines how the\n group interacts with the connect gateway. The role can be\n one of the following: `roles/gkehub.gatewayAdmin`,\n `roles/gkehub.gatewayEditor`, `roles/gkehub.gatewayReader`.\n (Note that you're not granting\n permissions over the cluster here - that step comes later.\n Here, you're just determining how users of the group can manipulate\n the connect gateway.)\n\n 2. Run the following command to grant the role to the group:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member=group:\u003cvar translate=\"no\"\u003eGROUP_NAME\u003c/var\u003e@\u003cvar translate=\"no\"\u003eDOMAIN\u003c/var\u003e \\\n --role=\u003cvar translate=\"no\"\u003eGATEWAY_ROLE\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: your Google project ID\n - \u003cvar translate=\"no\"\u003eGROUP_NAME\u003c/var\u003e: the name of the group to grant access to\n - \u003cvar translate=\"no\"\u003eDOMAIN\u003c/var\u003e: your Google Workspace domain\n - \u003cvar translate=\"no\"\u003eGATEWAY_ROLE\u003c/var\u003e: the selected role. For example `roles/gkehub.gatewayAdmin`, `roles/gkehub.gatewayEditor`, or `roles/gkehub.gatewayReader`.\n\n | **Note:** To grant `kubectl` access through a private endpoint, follow the preceding steps, but grant `roles/gkemulticloud.viewer` to the Google groups instead.\n6. In a Kubernetes manifest, define the permissions each Google group\n has on the cluster. For example, the following manifest grants the Google\n Group `cluster-admin-team` the role of cluster administrator:\n\n apiVersion: rbac.authorization.k8s.io/v1\n kind: ClusterRoleBinding\n metadata:\n name: gateway-cluster-admin-group\n subjects:\n - kind: Group\n name: cluster-admin-team@example.com\n roleRef:\n kind: ClusterRole\n name: cluster-admin\n apiGroup: rbac.authorization.k8s.io\n\n7. Save the manifest to a file and apply it to the cluster by running the\n following command:\n\n kubectl apply -kubeconfig=\u003cvar translate=\"no\"\u003eKUBECONFIG_PATH\u003c/var\u003e -f \u003cvar translate=\"no\"\u003eFILENAME\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eKUBECONFIG_PATH\u003c/var\u003e: the path to your `kubeconfig` file.\n - \u003cvar translate=\"no\"\u003eFILENAME\u003c/var\u003e: the name of the manifest file you created.\n\nOnce you've performed these steps, users belonging to certain Google groups can\nconnect to the cluster. In the given example, users belonging to the Google\ngroup `cluster-admin-team` can connect to the cluster as administrators."]]
