Version 1.13. This version is no longer supported. For information about how to upgrade to version 1.14, seeUpgrading Anthos on bare metalin the 1.14 documentation. For more information about supported and unsupported versions, see theVersion historypage in the latest documentation.
Google Distributed Cloud supportsOpenID Connect (OIDC)andLightweight Directory Access Protocol (LDAP)as
authentication mechanisms for interacting with a cluster's Kubernetes API
server, using GKE Identity Service. GKE Identity Service is an authentication service that lets you bring your existing identity solutions for authentication to multiple GKE Enterprise environments. Users can log in to and use your GKE clusters from the command line (all providers) or from the Google Cloud console (OIDC only), all using your existing identity provider.
GKE Identity Service works with any kind of bare metal cluster: admin, user, hybrid, or standalone. You can use both on-premises and publicly reachable identity providers. For example, if your enterprise runs anActive Directory Federation Services (ADFS)server, the ADFS server could serve as your OpenID provider. You might also use publicly-reachable identity provider services such as Okta. Identity provider certificates may be issued by either a well-known public certificate authority (CA), or by a private CA.
If you already use or want to use Google IDs to log in to your GKE clusters instead of an OIDC or LDAP provider, we recommend using the Connect gateway for authentication. Find out more inConnecting to registered clusters with the Connect gateway.
Before you begin
Note that headless systems are unsupported. A browser-based authentication flow is used
to prompt users for consent and authorize their user account.
Choose from the following cluster configuration options:
Configure your clusters at fleet level following the instructions inConfiguring clusters for fleet-level GKE Identity Service(preview, Google Distributed Cloud version 1.8 and higher). With this option, your authentication configuration is centrally managed by Google Cloud.
Configure your clusters individually following the instructions inConfiguring clusters for GKE Identity Service with OIDC. Because fleet-level setup is a preview feature, you may want to use this option in production environments, if you are using an earlier version of Google Distributed Cloud, or if you require GKE Identity Service features that aren't yet supported with fleet-level lifecycle management.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eGKE Identity Service enables authentication to Kubernetes API servers using OpenID Connect (OIDC) or Lightweight Directory Access Protocol (LDAP) for various GKE environments.\u003c/p\u003e\n"],["\u003cp\u003eUsers can access GKE clusters via command line with any provider or through the Google Cloud console using OIDC, employing existing identity solutions like Active Directory Federation Services or Okta.\u003c/p\u003e\n"],["\u003cp\u003eGKE Identity Service can be set up at the fleet level for centralized management or per-cluster for greater flexibility and compatibility with earlier versions of Google Distributed Cloud.\u003c/p\u003e\n"],["\u003cp\u003eIf Google IDs are preferred over OIDC or LDAP, the Connect gateway is recommended for authentication to registered GKE clusters.\u003c/p\u003e\n"],["\u003cp\u003eAfter setting up GKE Identity Service, users can access configured clusters via command line or the Google Cloud console, following specific instructions provided for OIDC and LDAP login.\u003c/p\u003e\n"]]],[],null,["# Manage identity with GKE Identity Service\n\n\u003cbr /\u003e\n\nGoogle Distributed Cloud supports [OpenID Connect (OIDC)](https://openid.net/connect/) and [Lightweight Directory Access Protocol (LDAP)](https://ldap.com/) as\nauthentication mechanisms for interacting with a cluster's Kubernetes API\nserver, using GKE Identity Service. GKE Identity Service is an authentication service that lets you bring your existing identity solutions for authentication to multiple GKE Enterprise environments. Users can log in to and use your GKE clusters from the command line (all providers) or from the Google Cloud console (OIDC only), all using your existing identity provider.\n\nGKE Identity Service works with any kind of bare metal cluster: admin, user, hybrid, or standalone. You can use both on-premises and publicly reachable identity providers. For example, if your enterprise runs an\n[Active Directory Federation Services (ADFS)](https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services)\nserver, the ADFS server could serve as your OpenID provider. You might also use publicly-reachable identity provider services such as Okta. Identity provider certificates may be issued by either a well-known public certificate authority (CA), or by a private CA.\n\nFor an overview of how GKE Identity Service works, see [Introducing GKE Identity Service](/anthos/identity).\n\nIf you already use or want to use Google IDs to log in to your GKE clusters instead of an OIDC or LDAP provider, we recommend using the Connect gateway for authentication. Find out more in [Connecting to registered clusters with the Connect gateway](/anthos/multicluster-management/gateway).\n\nBefore you begin\n----------------\n\n- Note that headless systems are unsupported. A browser-based authentication flow is used\n to prompt users for consent and authorize their user account.\n\n- To authenticate through the Google Cloud console, each cluster that you want to\n configure must be\n [registered with your project fleet](/anthos/multicluster-management/connect/registering-a-cluster).\n\nSetup process and options\n-------------------------\n\n### OIDC\n\n1. Register GKE Identity Service as a client with your OIDC provider following the instructions in [Configuring providers for GKE Identity Service](/anthos/identity/setup/provider).\n\n2. Choose from the following cluster configuration options:\n\n - Configure your clusters at fleet level following the instructions in [Configuring clusters for fleet-level GKE Identity Service](/anthos/identity/setup/fleet-cluster) (preview, Google Distributed Cloud version 1.8 and higher). With this option, your authentication configuration is centrally managed by Google Cloud.\n - Configure your clusters individually following the instructions in [Configuring clusters for GKE Identity Service with OIDC](/anthos/identity/setup/per-cluster). Because fleet-level setup is a preview feature, you may want to use this option in production environments, if you are using an earlier version of Google Distributed Cloud, or if you require GKE Identity Service features that aren't yet supported with fleet-level lifecycle management.\n3. Set up user access to your clusters, including role-based access control (RBAC), following the instructions in [Setting up user access for GKE Identity Service](/anthos/identity/setup/user-access).\n\n### LDAP\n\n- Follow the instructions in [Set up GKE Identity Service with LDAP](/anthos/identity/setup/ldap).\n\nAccess clusters\n---------------\n\nAfter GKE Identity Service has been set up, users can log in to configured clusters using either the command line or the Google Cloud console.\n\n- Learn how to log in to registered clusters with your OIDC or LDAP ID in [Accessing clusters using GKE Identity Service](/anthos/identity/accessing).\n- Learn how to log in to clusters from the Google Cloud console in [Logging in to a cluster from the Google Cloud console](/anthos/multicluster-management/console/logging-in) (OIDC only)."]]
