Stay organized with collectionsSave and categorize content based on your preferences.
Securing access to resources with IAM
Kubernetes users and service accounts need permissions to manage
Config Connector resources. With Config Connector, your project'scontrol planecan be managed by identities that use KubernetesRole-Based Access Control(RBAC). You can also reference Identity and Access Management (IAM) Policies.
Resources that can reference IAMPolicy and IAMPolicyMember are listed in theResource reference.
These resources have the property "Can Be Referenced by
IAMPolicy/IAMPolicyMember".
This topic explains how to secure access to Google Cloud resources
using Identity and Access Management.
In this example, you will create a service account and grant it permissions to
manage aPubSubTopic. This service account cannot manage other types of
Config Connector resources.
Create a file namedpubsub-topic-service-account.yamlwith the
following contents:
The ClusterRole can only manage resources that have values specified inrules.apiGroupsandrules.resources. To find values forapiGroupsandresources, see thereferencefor your
resources.
Create a file namedpubsub-topic-editor-role.yamlwith the following
contents:
ReplaceCC_NAMESPACEwith the namespace Config Connector
manages resources from.
Next, create a RoleBinding between the ClusterRole and your service account.
Create a file namedpubsub-topic-editor-rolebinding.yamlwith the
following contents:
ReplaceCC_NAMESPACEwith the namespace Config Connector
manages resources from.
Confirm the policy has been applied to Google Cloud by running this command
and looking for your email address in the output, replacingPROJECT_IDwith your project ID:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eConfig Connector allows managing Kubernetes control planes using identities that leverage Kubernetes Role-Based Access Control (RBAC) or Identity and Access Management (IAM) Policies.\u003c/p\u003e\n"],["\u003cp\u003eService accounts can be granted specific permissions to manage particular Config Connector resources, as demonstrated by the example of a service account managing \u003ccode\u003ePubSubTopic\u003c/code\u003e resources.\u003c/p\u003e\n"],["\u003cp\u003eRBAC can be used to secure control plane access by creating ClusterRoles and RoleBindings to define and assign permissions to service accounts.\u003c/p\u003e\n"],["\u003cp\u003eIAM Policies can be utilized to secure the data plane by creating resources such as \u003ccode\u003ePubSubTopic\u003c/code\u003e and limiting their access with \u003ccode\u003eIAMPolicyMember\u003c/code\u003e resources.\u003c/p\u003e\n"],["\u003cp\u003eThe cleaning up process involves deleting service accounts, IAM roles, rolebindings, \u003ccode\u003ePubSubTopic\u003c/code\u003e, and \u003ccode\u003eIAMPolicyMember\u003c/code\u003e resources using \u003ccode\u003ekubectl delete\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Securing access to resources with IAM\n=====================================\n\n*** ** * ** ***\n\nKubernetes users and service accounts need permissions to manage\nConfig Connector resources. With Config Connector, your project's\n[control plane](https://kubernetes.io/docs/concepts/#kubernetes-control-plane)\ncan be managed by identities that use Kubernetes\n[Role-Based Access Control](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)\n(RBAC). You can also reference Identity and Access Management (IAM) Policies.\n\nResources that can reference IAMPolicy and IAMPolicyMember are listed in the\n[Resource reference](/config-connector/docs/reference/resources).\nThese resources have the property \"Can Be Referenced by\nIAMPolicy/IAMPolicyMember\".\n\nThis topic explains how to secure access to Google Cloud resources\nusing Identity and Access Management.\n\nBefore you begin\n----------------\n\n[Install Config Connector on your cluster](/config-connector/docs/concepts/installation-types).\n\nSecuring control plane access with RBAC\n---------------------------------------\n\nIn this example, you will create a service account and grant it permissions to\nmanage a `PubSubTopic`. This service account cannot manage other types of\nConfig Connector resources.\n\n1. Create a file named `pubsub-topic-service-account.yaml` with the\n following contents:\n\n apiVersion: v1\n kind: ServiceAccount\n metadata:\n name: pubsub-topic-service-account\n namespace: default\n\n Apply this to create the `pubsub-topic-service-account` service account: \n\n ```\n kubectl apply -f pubsub-topic-service-account.yaml --namespace CC_NAMESPACE\n ```\n\n Replace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\n manages resources from.\n2. Confirm `pubsub-topic-service-account` cannot create\n `PubSubTopic` resources by verifying the output of the following command\n contains `no`:\n\n ```\n kubectl auth can-i get pubsubtopics --as=system:serviceaccount:default:pubsub-topic-service-account\n ```\n3. Next, create a\n [`ClusterRole`](/kubernetes-engine/docs/concepts/access-control#rbac)\n that allows Pub/Sub topic creation.\n\n The ClusterRole can only manage resources that have values specified in\n `rules.apiGroups` and `rules.resources`. To find values for `apiGroups` and\n `resources`, see the\n [reference](/config-connector/docs/reference/overview) for your\n resources.\n\n Create a file named `pubsub-topic-editor-role.yaml` with the following\n contents: \n\n apiVersion: rbac.authorization.k8s.io/v1\n kind: ClusterRole\n metadata:\n creationTimestamp: null\n name: pubsub-topic-editor\n rules:\n - apiGroups:\n - pubsub.cnrm.cloud.google.com\n resources:\n - pubsubtopics\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n - delete\n\n Apply `pubsub-topic-editor.yaml` to create the `ClusterRole`: \n\n ```\n kubectl apply -f pubsub-topic-editor-role.yaml --namespace CC_NAMESPACE\n ```\n\n Replace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\n manages resources from.\n4. Next, create a RoleBinding between the ClusterRole and your service account.\n Create a file named `pubsub-topic-editor-rolebinding.yaml` with the\n following contents:\n\n apiVersion: rbac.authorization.k8s.io/v1\n kind: RoleBinding\n metadata:\n name: pubsub-topic-editor-rolebinding.\n subjects:\n - kind: ServiceAccount\n name: pubsub-topic-service-account\n roleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: pubsub-topic-editor\n\n5. Apply `pubsub-topic-editor-rolebinding.yaml` to your cluster.\n\n ```\n kubectl apply -f pubsub-topic-editor-rolebinding.yaml --namespace CC_NAMESPACE\n ```\n\n Replace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\n manages resources from.\n6. Confirm the `pubsub-topic-service-account` is allowed to create\n `PubSubTopic` resources by confirming the output of the following command is\n `yes`:\n\n ```\n kubectl auth can-i get pubsubtopics \\\n --as=system:serviceaccount:default:pubsub-topic-service-account\n ```\n\n### Cleaning up\n\nUse `kubectl delete` to remove the Service Account, IAM Role and\nRolebinding. \n\n kubectl delete -f pubsub-topic-editor-rolebinding.yaml --namespace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e\n kubectl delete -f pubsub-topic-editor-role.yaml --namespace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e\n kubectl delete -f pubsub-topic-service-account.yaml --namespace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e\n\nReplace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\nmanages resources from.\n\nSecuring the data plane with IAM Policies\n-----------------------------------------\n\nIn this example, you use the permissions granted earlier to create a\n`PubSubTopic` and limit access to it with an `IAMPolicyMember` resource.\n\n1. Create a file named `pubsub-topic-sample.yaml` with the following content:\n\n apiVersion: pubsub.cnrm.cloud.google.com/v1beta1\n kind: PubSubTopic\n metadata:\n name: pubsubtopic-sample\n\n Apply `pubsub-topic-sample.yaml` with `kubectl`: \n\n ```\n kubectl apply -f pubsub-topic-sample.yaml --namespace CC_NAMESPACE\n ```\n\n Replace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\n manages resources from.\n2. Create a file named `iampolicymember.yaml` with the following content,\n replacing \u003cvar translate=\"no\"\u003eEMAIL_ADDRESS\u003c/var\u003e with your Google Cloud account's\n email address:\n\n apiVersion: iam.cnrm.cloud.google.com/v1beta1\n kind: IAMPolicyMember\n metadata:\n name: iampolicymember-sample\n spec:\n resourceRef:\n apiVersion: pubsub.cnrm.cloud.google.com/v1beta1\n kind: PubSubTopic\n name: pubsubtopic-sample\n role: roles/pubsub.admin\n member: \"user:\u003cvar translate=\"no\"\u003eEMAIL_ADDRESS\u003c/var\u003e\"\n\n3. Apply the `iampolicymember.yaml`.\n\n ```\n kubectl apply -f iampolicymember.yaml --namespace CC_NAMESPACE \n ```\n\n Replace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\n manages resources from.\n4. Confirm the policy has been applied to Google Cloud by running this command\n and looking for your email address in the output, replacing\n \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your project ID:\n\n ```\n gcloud beta pubsub topics get-iam-policy projects/PROJECT_ID/topics/pubsubtopic-sample\n ```\n\nAccess to your Pub/Sub topics is now protected with an `IAMPolicyMember`.\n\n### Cleaning up\n\nUse `kubectl delete` to remove the Pub/Sub topic and IAMPolicyMember\nfrom your Google Cloud Project. \n\n kubectl delete -f iampolicymember.yaml --namespace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e\n kubectl delete -f pubsub-topic-sample.yaml --namespace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e\n\nWhat's next\n-----------\n\nUse [Secrets](/config-connector/docs/how-to/secrets) to pass information securely to Google Cloud resources."]]
