The product described by this documentation, GKE on AWS, is now in maintenance mode and will be shut down on March 17, 2027.

AWS IAM role list

The tables on this page list all of the permissions used in creating the default AWS IAM roles. To create these policies with default permissions, see Create AWS IAM roles .

GKE Multi-Cloud API service agent role: The GKE Multi-Cloud API uses this AWS IAM role to manage resources using AWS APIs. This role is used by a Google-managed service account known as a service agent .
Control plane AWS IAM role: Your cluster control plane uses this role to control node pools.
Node pool AWS IAM role: The control plane uses this role to create node pool VMs.

Depending upon your organization's requirements, you can choose to create custom AWS IAM policies for GKE on AWS to manage your clusters. These policies will replace the default versions. You then apply these policies to AWS IAM roles and provide them when you create a cluster.

For more information on the purpose of each role, see AWS IAM roles for GKE on AWS .

To create these policies, choose the level that you wish to restrict your resources at. For example, you can restrict a policy to a particular AWS VPC using the VPC's Amazon Resource Name (ARN). For more information, see Controlling access to AWS resources using policies .

IAM policies for GKE Multi-Cloud service agents

Resource Type

ARN

Permission Required

Purpose

Reference

Security Group

arn:aws:ec2:*:*:security-group/sg-*

ec2:DescribeSecurityGroups (Create, Update, Delete)
ec2:CreateSecurityGroup (Create)
ec2:CreateTags (Create)
ec2:RevokeSecurityGroupEgress (Create)
ec2:DeleteSecurityGroup (Delete)

Control plane security group

Security Group

Node pool security group

Security Group Rule

arn:aws:ec2:*:*:security-group-rule/sgr-*

ec2:AuthorizeSecurityGroupEgress (Create)
ec2:RevokeSecurityGroupEgress (Delete)
ec2:CreateTags (Create)

Control plane egress security group rule

Security Group Rule

ec2:AuthorizeSecurityGroupIngress (Create)
ec2:RevokeSecurityGroupIngress (Delete)
ec2:CreateTags (Create)

Control plane ingress security group rule

Security Group Rule

ec2:AuthorizeSecurityGroupEgress (Create)
ec2:RevokeSecurityGroupEgress (Delete)
ec2:CreateTags (Create)

Control plane egress security group rule

Security Group Rule

ec2:AuthorizeSecurityGroupIngress (Create)
ec2:RevokeSecurityGroupIngress (Delete)
ec2:CreateTags (Create)

Control plane ingress security group rule

Network Load Balancer

arn:aws:elasticloadbalancing:*:*:loadbalancer/net/gke-*

elasticloadbalancing:DescribeLoadBalancers (Create, Delete)
elasticloadbalancing:CreateLoadBalancer (Create)
ec2:CreateSecurityGroup (Create)
ec2:DescribeAccountAttributes (Create)
ec2:DescribeInternetGateways (Create)
ec2:DescribeSecurityGroups (Create)
ec2:DescribeSubnets (Create)
ec2:DescribeVpcs (Create)
iam:CreateServiceLinkedRole (Create)
elasticloadbalancing:DeleteLoadBalancer (Delete)

Kubernetes api-server load balancer

Elastic Load Balancing API permissions

Target Group

arn:aws:elasticloadbalancing:*:*:targetgroup/gke-*

elasticloadbalancing:DescribeTargetGroups (Create, Update, Delete)
elasticloadbalancing:DescribeTargetHealth (Create, Update)
elasticloadbalancing:CreateTargetGroup (Create)
elasticloadbalancing:ModifyTargetGroupAttributes (Create)
ec2:DescribeInternetGateways (Create)
ec2:DescribeVpcs (Create)
elasticloadbalancing:DeleteTargetGroup (Delete)

Target group for https

Elastic Load Balancing API permissions

Target Group

Target group for https for konnectivity agent

Listener

arn:aws:elasticloadbalancing:*:*:listener/net/gke-*

elasticloadbalancing:CreateListener (Create)
elasticloadbalancing:DeleteListener (Delete) elasticloadbalancing:DescribeListeners (Delete)
elasticloadbalancing:DeleteListener (Delete)

Listener for https

Listener

Listener for https for konnectivity agent

Volume

arn:aws:ec2:*:*:volume/vol-*

ec2:CreateVolume (Create)
ec2:CreateTags (Create)
ec2:DeleteVolume (Delete)

etcd volumes

Network Interface

arn:aws:ec2:*:*:network-interface/eni-*

ec2:DescribeNetworkInterfaces Update
ec2:CreateNetworkInterface (Create)
ec2:CreateTags (Create)
ec2:ModifyNetworkInterfaceAttribute (Update)
ec2:DeleteNetworkInterface (Delete)

etcd NICs

Launch Template

arn:aws:ec2:*:*:launch-template/lt-*

ec2:CreateLaunchTemplate (Create, Update)
ec2:CreateTags (Create, Update)
ec2:DeleteLaunchTemplate (Delete)

Launch template for control plane instances

Launch Template

Launch template for node pool instances

Auto Scaling Group

arn:aws:autoscaling:*:*:autoScalingGroup:*:  
autoScalingGroupName/gke-*

autoscaling:DescribeAutoScalingGroups (Create, Update, Delete)
autoscaling:CreateAutoScalingGroup (Create)
autoscaling:CreateOrUpdateTags (Update)
autoscaling:UpdateAutoScalingGroup (Update, Delete)
autoscaling:TerminateInstanceInAutoScalingGroup (Update)
autoscaling:DeleteTags Update, (Delete)
autoscaling:DeleteAutoScalingGroup (Delete)
iam:CreateServiceLinkedRole (Create)
ec2:RunInstances (Create)
iam:PassRole （Create）

auto scaling groups for control plane instances

Required API permissions for Amazon EC2 Auto Scaling

Auto Scaling Group

arn:aws:autoscaling:*:*:autoScalingGroup:*:  
autoScalingGroupName/gke-*

auto scaling groups for node pool instances

Required permissions to create a service-linked role

EC2 key pairs

ec2:DescribeKeyPairs (Create)

To ensure the EC2 key pair used to login into cluster machines exists.

Subnets

ec2:DescribeSubnets (Create)

Access to additional subnets in your VPC

VPC

ec2:DescribeVpcs (Create)

Information on your AWS VPC

EC2 Console output

ec2:GetConsoleOutput (Create, Update)

Check console logs for errors

KMS Key

For more information on KMS key policies for GKE on AWS Creating KMS keys with specific permissions

IAM policy for control plane role

Purpose

Permission Required

Reference

cluster autoscaler

autoscaling:DescribeAutoScalingGroups (Create, Update)
autoscaling:DescribeAutoScalingInstances (Create, Update)
autoscaling:DescribeLaunchConfigurations (Create, Update)
autoscaling:DescribeTags (Create, Update)
ec2:DescribeInstanceTypes (Create, Update)
ec2:DescribeLaunchTemplateVersions (Create, Update)
autoscaling:SetDesiredCapacity
autoscaling:TerminateInstanceInAutoScalingGroup

https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md

cloud-provider-aws

autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeLaunchConfigurations
autoscaling:DescribeTags (Create)
ec2:DescribeInstances (Create)
ec2:DescribeRegions
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVolumes
ec2:CreateSecurityGroup
ec2:CreateTags
ec2:CreateVolume
ec2:ModifyInstanceAttribute
ec2:ModifyVolume
ec2:AttachVolume (Create)
ec2:AuthorizeSecurityGroupIngress
ec2:CreateRoute
ec2:DeleteRoute
ec2:DeleteSecurityGroup
ec2:DeleteVolume
ec2:DetachVolume
ec2:RevokeSecurityGroupIngress
ec2:DescribeVpcs
elasticloadbalancing:AddTags
elasticloadbalancing:AttachLoadBalancerToSubnets
elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
elasticloadbalancing:CreateLoadBalancer
elasticloadbalancing:CreateLoadBalancerPolicy
elasticloadbalancing:CreateLoadBalancerListeners
elasticloadbalancing:ConfigureHealthCheck
elasticloadbalancing:DeleteLoadBalancer
elasticloadbalancing:DeleteLoadBalancerListeners
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DetachLoadBalancerFromSubnets
elasticloadbalancing:DeregisterInstancesFromLoadBalancer
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:RegisterInstancesWithLoadBalancer
elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer
elasticloadbalancing:AddTags
elasticloadbalancing:CreateListener
elasticloadbalancing:CreateTargetGroup
elasticloadbalancing:DeleteListener
elasticloadbalancing:DeleteTargetGroup
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeTargetHealth
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyTargetGroup
elasticloadbalancing:RegisterTargets
elasticloadbalancing:DeregisterTargets
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
iam:CreateServiceLinkedRole
kms:DescribeKey

https://github.com/kubernetes/cloud-provider-aws/blob/master/docs/prerequisites.md

Create load balancers

elasticloadbalancing:CreateLoadBalancer
ec2:DescribeAccountAttributes
ec2:DescribeInternetGateways
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVpcs

https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-api-permissions.html

aws-ebs-csi-driver

ec2:DescribeVolumesModifications
ec2:DeleteTags

ec2:DescribeAvailabilityZones

https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/docs#set-up-driver-permission

gke-aws-controller-manager

ec2:DescribeDhcpOptions
ec2:DescribeInstances
ec2:DescribeVpcs

elasticloadbalancing:ModifyTargetGroupAttributes

ec2:DescribeSnapshots
ec2:CreateSnapshot
ec2:DeleteSnapshot

CSI snapshotter

Kubernetes external snapshotter

GKE on AWS node agent
Attach NIC to etcd

ec2:AttachNetworkInterface (Create, Update)

Read proxy configuration from Secrets Manager

secretsmanager:GetSecretValue (Create, Update)

Interact with KMS keys

kms:Encrypt (Create, Update)
kms:Decrypt (Create, Update)
kms:CreateGrant (Create, Update)

IAM policy for node pool role

Purpose	Permission Required	Reference
Read proxy configuration from secrets manager	`secretsmanager:GetSecretValue` (Create, Update)
KMS key to decrypt node pool configuration encryption	`kms:Decrypt` (Create, Update)	Create an AWS KMS key

AWS IAM role list Stay organized with collections Save and categorize content based on your preferences.

IAM policies for GKE Multi-Cloud service agents

IAM policy for control plane role

IAM policy for node pool role

AWS IAM role list