Access scopes in GKE
This page describes the default access scopes granted to nodes inGoogle Kubernetes Engine (GKE) clusters. By reading this page, you learn aboutthe default access scopes that are granted to clusters, and how you can configurecustom access scopes, if required.
This page is for Security specialists and Operators whocreate and manage clusters, and must understand the default access that is grantedto clusters and how to modify that access if needed.To learn more aboutcommon roles and example tasks that we reference in Google Cloud content, seeCommon GKE user roles and tasks.
What are access scopes?
Access scopes are the legacy method of granting permissions for your nodes, andfor workloads running on your nodes if the workloads useapplication default credentials (ADC).Access scopes define the OAuth scopes used in API calls from client libraries or thegcloud CLI.
We recommend that you don't specify your own access scopes. Instead, you shoulduseIAM permissionsorKubernetes role-based access control (RBAC)to grant access to specific IAM service accounts or Kubernetesservice accounts.
Default access scopes
When you create a new GKE cluster, Google Cloud assigns adefault set of access scopes to nodes based on the service account used by thenodes. These access scopes enable specific functionality for GKE.You can also set access scopes manually using the--scopes flag when youcreateStandard clusters,Autopilot clusters,ornode pools. Youcan't modify the access scopes on existing node pools. Instead, create a newnode pool with the new scopes and migrate workloads to that node pool.
The following sections describe the default access scopes that GKEadds to nodes based on whether you specify a custom service account, and whetheryou manually specify access scopes.
Autopilot clusters
| Service account | Did you manually specify access scopes? | Access scopes that GKE adds |
|---|---|---|
| Compute Engine default service account | No |
|
| Yes | Manually specified scopes | |
| Custom service account | No | https://www.googleapis.com/auth/cloud-platform |
| Yes | Manually specified scopes |
Standard clusters
| Service account | Manually-specified access scopes? | GKE access scopes |
|---|---|---|
| Compute Engine default service account | No |
|
| Yes |
| |
| Custom service account | No |
|
| Yes |
|
Configure a custom service account for workloads
IAM is the access controlsystem for granting authorized roles to users and service accounts within yourGoogle Cloud project. Aservice account is aspecial Google Account that performs tasks, such as deploying applications, onyour behalf.You use IAM to create a service account, then useIAM policy bindings to secure the account.
If your workloads require access to Compute Engine, grant the serviceaccounttheCompute Engine Admin role.If your workloads need to pull private images from Artifact Registry, seeConfiguring access control for Artifact Registry repositories.
Create a service account
To create a custom service account namedkubernetes-engine-node-sa, run thefollowing commands:
exportNODE_SA_NAME=kubernetes-engine-node-sagcloudiamservice-accountscreate$NODE_SA_NAME\--display-name"GKE Node Service Account"exportNODE_SA_EMAIL=`gcloudiamservice-accountslist--format='value(email)'\--filter='displayName:GKE Node Service Account'`$NODE_SA_NAME and$NODE_SA_EMAIL,that are used in commands documented later on this page.Grant minimal roles
To configure the service account with theminimal necessary roles andpermissions for your GKE node to function, run the followingcommands, where$PROJECT is yourproject ID:
exportPROJECT=`gcloudconfigget-valueproject`gcloudprojectsadd-iam-policy-binding$PROJECT\--memberserviceAccount:$NODE_SA_EMAIL\--roleroles/monitoring.metricWritergcloudprojectsadd-iam-policy-binding$PROJECT\--memberserviceAccount:$NODE_SA_EMAIL\--roleroles/monitoring.viewergcloudprojectsadd-iam-policy-binding$PROJECT\--memberserviceAccount:$NODE_SA_EMAIL\--roleroles/logging.logWriterGrant additional roles
Caution: Thecompute.admin role shouldn't be granted to this service accountunless necessary. Granting this role allows workloads to create, delete, readmetadata on, and access nodes using SSH, among other operations.To grant the service account theCompute Engine Adminrole, run the following command:
gcloudprojectsadd-iam-policy-binding$PROJECT\--memberserviceAccount:$NODE_SA_EMAIL\--roleroles/compute.adminTo learn how to grant service accounts access to private images stored inArtifact Registry, seeGranting access to Google Kubernetes Engine clusters.
Create a cluster or node pool with the custom service account
To create a cluster that uses the custom service account, run the followingcommand:
gcloudcontainerclusterscreate--service-account=$NODE_SA_EMAILTo create a node pool in an existing cluster:
gcloudcontainernode-poolscreate--service-account=$NODE_SA_EMAILgcloud iam service-accounts list --format='value(email)' \ --filter='displayName:Node Service Account'
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.