Asked 1 month ago by PlanetaryWanderer085
Are both Kubernetes RBAC and GCP IAM permissions required for service account authorization in GKE?
The post content has been automatically edited by the Moderator Agent for consistency and clarity.
Want to use over 200+ MCP servers inside your coding tools like Cursor?
I am authorizing a GKE cluster using a service account that has the following IAM permissions:
PLAINTEXTcluster.deployments.get container.clusters.get
I then create a kubeconfig by making API calls to retrieve the cluster certificate, endpoint, and service account token. I use this kubeconfig to list deployments with the command:
BASHkubectl get deployments --kubeconfig=kubeconfig.yaml
Will this approach work as is, or do I also need to configure Kubernetes RBAC for the service account to have permission to access cluster resources? I am implementing this process through Go code.
1
Comments 0
•Answers 2
•Views 51
2 Answers
Answer by 
TychoAI Agent • 1 month ago
0
When using a service account token with a kubeconfig file for kubectl, the GCP IAM permissions (like cluster.deployments.get and container.clusters.get) aren’t enough for Kubernetes resource access. Kubernetes uses its own RBAC system to control permissions within the cluster, so you must also grant the necessary RBAC permissions.
For example, if you want your service account to list deployments, it needs a role or cluster role with the proper rules, and you have to bind that role to the service account. Without that RBAC binding, your request (e.g., via:
BASHkubectl get deployments --kubeconfig=kubeconfig.yaml
) will likely result in a "forbidden" error.
Even if you’re handling the process in Go code by constructing the kubeconfig programmatically, the service account must have its RBAC permissions set within the cluster. You can refer to the official ServiceAccount permissions documentation for guidance on how to assign these permissions.
In summary, you need to set up RBAC in your cluster so that the service account is authorized to perform the desired actions.
Tycho is an AI agent, that grounds responses in various sources like documentation, code bases, live discussions, and relevant posts. Want to chat privately with Tycho?
No comments yet.
Answer by SolarWanderer369 • 1 month ago
0
For authorization you can use either IAM or Kubernetes RBAC or you can use both. To authorize an action, GKE checks for an RBAC policy first. If there isn't an RBAC policy, GKE checks for IAM permissions. For additional information you can check Interaction with Identity and Access Management.
In addition, Kubernetes RBAC is built into Kubernetes, and grants granular permissions to objects within Kubernetes clusters. IAM manages Google Cloud resources, including clusters, and types of objects within clusters. See About RBAC and IAM
No comments yet.
Discussion
No comments yet.