adaptive-enforcement-lab/iam-configuration
plugins/secure/skills/iam-configuration/SKILL.md
Least-privilege IAM roles for GKE nodes and workloads. Workload Identity Federation for external authentication and comprehensive audit logging for visibility.
testing
Updated Mar 27, 2026
$ install --global
skillsauthnpx skillsauth add adaptive-enforcement-lab/claude-skills iam-configurationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Mar 29, 2026, 11:19 AM36.4s1 file scanned
SKILL.md
- name:
- iam-configuration
- description:
- >-
IAM Configuration
When to Use This Skill
This section covers identity and access management for GKE clusters:
- Service Account Roles: Fine-grained IAM permissions for nodes, admins, and developers
- Workload Identity Federation: External identity provider integration (GitHub, OIDC)
- Audit Logging: Complete visibility into cluster management and API access
Prerequisites
- GCP project with billing enabled
- Terraform 1.0+
- Appropriate IAM permissions (Security Admin or Project Editor)
Implementation
Identity and access management controls who can do what in your cluster. Least-privilege service accounts minimize blast radius. Workload Identity Federation enables external identity integration. Audit logging provides complete visibility.
IAM Security Layers
- Least Privilege Roles - Minimal permissions for service accounts
- Workload Identity Federation - GitHub Actions and external auth
- Audit Logging - Comprehensive activity tracking
Overview
This section covers identity and access management for GKE clusters:
- Service Account Roles: Fine-grained IAM permissions for nodes, admins, and developers
- Workload Identity Federation: External identity provider integration (GitHub, OIDC)
- Audit Logging: Complete visibility into cluster management and API access
Security Principles
Least Privilege
Grant only the minimum IAM roles required for each service account:
- Node service accounts: Logging, monitoring only
- Application service accounts: Specific GCP resource access
- Developer accounts: Read-only cluster access
- Admin accounts: Full cluster management (limited users)
External Identity Integration
Workload Identity Federation enables pods and external systems to authenticate without static credentials:
- GitHub Actions: OIDC token exchange
- External CI/CD: Custom identity providers
- Multi-cloud workloads: Cross-cloud authentication
Complete Audit Trail
Comprehensive audit logging captures all cluster activity:
- API server requests (create, update, delete)
- Authentication attempts and failures
- IAM policy changes
- Service account usage
Prerequisites
- GCP project with billing enabled
- Terraform 1.0+
- Appropriate IAM permissions (Security Admin or Project Editor)
Related Configuration
- Cluster Configuration - Private GKE, Workload Identity, Shielded Nodes
- Network Security - VPC-native networking, Network Policies
- Runtime Security - Pod Security Standards, admission controllers
Overview
This section covers identity and access management for GKE clusters:
- Service Account Roles: Fine-grained IAM permissions for nodes, admins, and developers
- Workload Identity Federation: External identity provider integration (GitHub, OIDC)
- Audit Logging: Complete visibility into cluster management and API access
Security Principles
Least Privilege
Grant only the minimum IAM roles required for each service account:
- Node service accounts: Logging, monitoring only
- Application service accounts: Specific GCP resource access
- Developer accounts: Read-only cluster access
- Admin accounts: Full cluster management (limited users)
External Identity Integration
Workload Identity Federation enables pods and external systems to authenticate without static credentials:
- GitHub Actions: OIDC token exchange
- External CI/CD: Custom identity providers
- Multi-cloud workloads: Cross-cloud authentication
Complete Audit Trail
Comprehensive audit logging captures all cluster activity:
- API server requests (create, update, delete)
- Authentication attempts and failures
- IAM policy changes
- Service account usage
Prerequisites
- GCP project with billing enabled
- Terraform 1.0+
- Appropriate IAM permissions (Security Admin or Project Editor)
Related Configuration
- Cluster Configuration - Private GKE, Workload Identity, Shielded Nodes
- Network Security - VPC-native networking, Network Policies
- Runtime Security - Pod Security Standards, admission controllers
Key Principles
Least Privilege
Grant only the minimum IAM roles required for each service account:
- Node service accounts: Logging, monitoring only
- Application service accounts: Specific GCP resource access
- Developer accounts: Read-only cluster access
- Admin accounts: Full cluster management (limited users)
External Identity Integration
Workload Identity Federation enables pods and external systems to authenticate without static credentials:
- GitHub Actions: OIDC token exchange
- External CI/CD: Custom identity providers
- Multi-cloud workloads: Cross-cloud authentication
Complete Audit Trail
Comprehensive audit logging captures all cluster activity:
- API server requests (create, update, delete)
- Authentication attempts and failures
- IAM policy changes
- Service account usage
Related Patterns
- Cluster Configuration
- Network Security
- Runtime Security
References
- Source Documentation
- AEL Secure
Related Skills
adaptive-enforcement-lab/workload-identity-federation-implementation
documentation
VerifiedTrustedCommunity
Workload Identity Federation implementation guide. GKE setup, IAM bindings, ServiceAccount configuration, migration from service account keys, and troubleshooting patterns.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/workflow-trigger-security
development
VerifiedTrustedCommunity
Secure GitHub Actions trigger patterns for pull requests, forks, and reusable workflows. Preventing privilege escalation and code injection through trigger misconfiguration.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/third-party-action-risk-assessment
development
VerifiedTrustedCommunity
Structured framework for evaluating GitHub Actions security before adoption. Trust tiers, risk assessment checklist, and decision tree for action evaluation.
SKILL.mdUpdated Mar 27, 2026
adaptive-enforcement-lab/storing-credentials
testing
VerifiedTrustedCommunity
Securely store GitHub App credentials across different environments. GitHub Actions secrets, external CI, Kubernetes, and automated rotation patterns.
SKILL.mdUpdated Mar 27, 2026