Agent skill
iam-configuration
Least-privilege IAM roles for GKE nodes and workloads. Workload Identity Federation for external authentication and comprehensive audit logging for visibility.
Install this agent skill to your Project
npx add-skill https://github.com/adaptive-enforcement-lab/claude-skills/tree/main/plugins/secure/skills/iam-configuration
SKILL.md
IAM Configuration
When to Use This Skill
This section covers identity and access management for GKE clusters:
- Service Account Roles: Fine-grained IAM permissions for nodes, admins, and developers
- Workload Identity Federation: External identity provider integration (GitHub, OIDC)
- Audit Logging: Complete visibility into cluster management and API access
Prerequisites
- GCP project with billing enabled
- Terraform 1.0+
- Appropriate IAM permissions (Security Admin or Project Editor)
Implementation
Identity and access management controls who can do what in your cluster. Least-privilege service accounts minimize blast radius. Workload Identity Federation enables external identity integration. Audit logging provides complete visibility.
IAM Security Layers
- Least Privilege Roles - Minimal permissions for service accounts
- Workload Identity Federation - GitHub Actions and external auth
- Audit Logging - Comprehensive activity tracking
Overview
This section covers identity and access management for GKE clusters:
- Service Account Roles: Fine-grained IAM permissions for nodes, admins, and developers
- Workload Identity Federation: External identity provider integration (GitHub, OIDC)
- Audit Logging: Complete visibility into cluster management and API access
Security Principles
Least Privilege
Grant only the minimum IAM roles required for each service account:
- Node service accounts: Logging, monitoring only
- Application service accounts: Specific GCP resource access
- Developer accounts: Read-only cluster access
- Admin accounts: Full cluster management (limited users)
External Identity Integration
Workload Identity Federation enables pods and external systems to authenticate without static credentials:
- GitHub Actions: OIDC token exchange
- External CI/CD: Custom identity providers
- Multi-cloud workloads: Cross-cloud authentication
Complete Audit Trail
Comprehensive audit logging captures all cluster activity:
- API server requests (create, update, delete)
- Authentication attempts and failures
- IAM policy changes
- Service account usage
Prerequisites
- GCP project with billing enabled
- Terraform 1.0+
- Appropriate IAM permissions (Security Admin or Project Editor)
Related Configuration
- Cluster Configuration - Private GKE, Workload Identity, Shielded Nodes
- Network Security - VPC-native networking, Network Policies
- Runtime Security - Pod Security Standards, admission controllers
Overview
This section covers identity and access management for GKE clusters:
- Service Account Roles: Fine-grained IAM permissions for nodes, admins, and developers
- Workload Identity Federation: External identity provider integration (GitHub, OIDC)
- Audit Logging: Complete visibility into cluster management and API access
Security Principles
Least Privilege
Grant only the minimum IAM roles required for each service account:
- Node service accounts: Logging, monitoring only
- Application service accounts: Specific GCP resource access
- Developer accounts: Read-only cluster access
- Admin accounts: Full cluster management (limited users)
External Identity Integration
Workload Identity Federation enables pods and external systems to authenticate without static credentials:
- GitHub Actions: OIDC token exchange
- External CI/CD: Custom identity providers
- Multi-cloud workloads: Cross-cloud authentication
Complete Audit Trail
Comprehensive audit logging captures all cluster activity:
- API server requests (create, update, delete)
- Authentication attempts and failures
- IAM policy changes
- Service account usage
Prerequisites
- GCP project with billing enabled
- Terraform 1.0+
- Appropriate IAM permissions (Security Admin or Project Editor)
Related Configuration
- Cluster Configuration - Private GKE, Workload Identity, Shielded Nodes
- Network Security - VPC-native networking, Network Policies
- Runtime Security - Pod Security Standards, admission controllers
Key Principles
Least Privilege
Grant only the minimum IAM roles required for each service account:
- Node service accounts: Logging, monitoring only
- Application service accounts: Specific GCP resource access
- Developer accounts: Read-only cluster access
- Admin accounts: Full cluster management (limited users)
External Identity Integration
Workload Identity Federation enables pods and external systems to authenticate without static credentials:
- GitHub Actions: OIDC token exchange
- External CI/CD: Custom identity providers
- Multi-cloud workloads: Cross-cloud authentication
Complete Audit Trail
Comprehensive audit logging captures all cluster activity:
- API server requests (create, update, delete)
- Authentication attempts and failures
- IAM policy changes
- Service account usage
Related Patterns
- Cluster Configuration
- Network Security
- Runtime Security
References
Recommended Agent Skills
Expand your agent's capabilities with these related and highly-rated skills.
github-token-permissions-overview
Understanding GITHUB_TOKEN scope, default permissions, and implementing least-privilege principle for GitHub Actions workflows.
secure
Find and fix security issues before they become incidents. Vulnerability scanning, SBOM generation, supply chain security, and secure authentication workflows.
complete-workflow-examples
Copy-paste hardened CI/CD workflows with SHA-pinned actions, minimal GITHUB_TOKEN permissions, OIDC authentication, and comprehensive security scanning for GitHub Actions.
ephemeral-runner-patterns
Disposable runner patterns for GitHub Actions. Container-based, VM-based, and ARC deployment strategies with complete state isolation between jobs.
action-pinning-overview
Why pinning GitHub Actions to SHA-256 commits matters for supply chain security. Attack vectors from unpinned actions and comparison of tag vs SHA pinning.
github-actions-security-patterns-hub
Complete security patterns for GitHub Actions covering action pinning, GITHUB_TOKEN permissions, third-party action risks, secret management, and runner security.
Didn't find tool you were looking for?