IAM provides predefined roles that grant access to specific Google Cloud resources and prevent unauthorized access to other resources.
| Role | Title | Description | Lowest resource |
|---|---|---|---|
roles/ | Kubernetes Engine Admin | Provides access to full management of clusters and their Kubernetes API objects.To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the user-managed service account that your nodes will use. | Project |
roles/ | Kubernetes Engine KMS Crypto Key User | Allow the Kubernetes Engine service agent in the cluster project to call KMS with user provided crypto keys to sign payloads. | |
roles/ | Kubernetes Engine Cluster Admin | Provides access to management of clusters.To set a service account on nodes, you must also have the Service Account User role (roles/iam.serviceAccountUser) on the user-managed service account that your nodes will use. | Project |
roles/ | Kubernetes Engine Cluster Viewer | Provides access to get and list GKE clusters. | |
roles/ | Kubernetes Engine Default Node Service Account | Least privilege role to use as the default service account for GKE Nodes. | |
roles/ | Kubernetes Engine Developer | Provides access to Kubernetes API objects inside clusters. | Project |
roles/ | Kubernetes Engine Host Service Agent User | Allows the Kubernetes Engine service account in the host project to configure shared network resources for cluster management. Also gives access to inspect the firewall rules in the host project. | |
roles/ | Kubernetes Engine Viewer | Provides read-only access to resources within GKE clusters, such as nodes, pods, and GKE API objects. | Project |