# GKE IAM Integration

If you're connected to a GKE cluster, RBAC is only half the story here. Google Cloud IAM roles can grant cluster access. Cluster access is effectively determined by a union of IAM and RBAC roles. To see the relevant IAM roles along with RBAC roles, use the --gke flag.

rbac-lookup rob --gke

SUBJECT              SCOPE             ROLE
[email protected]      cluster-wide      ClusterRole/view
[email protected]      nginx-ingress     ClusterRole/edit
[email protected]      project-wide      IAM/gke-developer
[email protected]      project-wide      IAM/viewer

Of course this GKE integration also supports wide output, in this case referencing the specific IAM roles that are assigned to a user.

rbac-lookup rob --gke --output wide

SUBJECT                   SCOPE             ROLE                SOURCE
User/[email protected]      cluster-wide      ClusterRole/view    ClusterRoleBinding/rob-cluster-view
User/[email protected]      nginx-ingress     ClusterRole/edit    RoleBinding/rob-edit
User/[email protected]      project-wide      IAM/gke-developer   IAMRole/container.developer
User/[email protected]      project-wide      IAM/gcp-viewer      IAMRole/viewer

At this point this integration only supports standard IAM roles, and is not advanced enough to include any custom roles. For a full list of supported roles and how they are mapped, view lookup/gke_roles.go (opens new window).