15

I am trying to integrate CircleCi with gcloud Kubernetes engine.

  1. I created a service account with Kubernetes Engine Developer and Storage Admin roles.
  2. Created CircleCi yaml file and configured CI.

Part of my yaml file includes:

docker:
            - image: google/cloud-sdk
        environment:
            - PROJECT_NAME: 'my-project'
            - GOOGLE_PROJECT_ID: 'my-project-112233'
            - GOOGLE_COMPUTE_ZONE: 'us-central1-a'
            - GOOGLE_CLUSTER_NAME: 'my-project-bed'
        steps:
            - checkout
            - run:
                  name: Setup Google Cloud SDK
                  command: |
                      apt-get install -qq -y gettext
                      echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
                      gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
                      gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
                      gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
                      gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}

Everything runs perfectly except that the last command:

gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}

It keeps failing with the error:

ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/my-project-112233/zones/us-central1-a/clusters/my-project-bed". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.

I tried to give the ci account the role of project owner but I still got that error.

I tried to disable and re-enable the Kubernetes Service but it didn't help.

Any idea how to solve this? I am trying to solve it for 4 days...

Rico
  • 58,485
  • 12
  • 111
  • 141
Naor
  • 23,465
  • 48
  • 152
  • 268

8 Answers8

6

This is an old thread, this is how this issue handled today in case using cloud build :

Granting Cloud Build access to GKE

To deploy the application in your Kubernetes cluster, Cloud Build needs the Kubernetes Engine Developer Identity and Access Management Role.

Get Project Number:

PROJECT_NUMBER="$(gcloud projects describe ${PROJECT_ID} --format='get(projectNumber)')"

Add IAM Policy bindings:

gcloud projects add-iam-policy-binding ${PROJECT_NUMBER} \
    --member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com \
    --role=roles/container.developer

More info can be found here.

Amit Baranes
  • 7,398
  • 2
  • 31
  • 53
5

I believe it's not the CI Service account but the k8s service account used to manage your GKE cluster, where its email should look like this (Somebody must have deleted it):

k8s-service-account@<project-id>.iam.gserviceaccount.com

sa

You can re-create it an give it project owner permissions.

recreate

Rico
  • 58,485
  • 12
  • 111
  • 141
  • I don't have such account. Maybe you refer to this account: "service-448608612002@container-engine-robot.iam.gserviceaccount.com"? – Naor Nov 21 '18 at 23:03
  • You need to create it. No not that one. – Rico Nov 21 '18 at 23:06
  • Suppose I create it, what do I do with it? Who will use it? – Naor Nov 21 '18 at 23:08
  • This will use it `gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}` – Rico Nov 21 '18 at 23:12
  • But I already created a service account with Kubernetes Engine Developer and Storage Admin roles. I use it for the `get-credentials` command and it fails. How creating another account with the same roles will help? – Naor Nov 21 '18 at 23:18
  • 3
    I removed the account and created it again with the same name and roles. And suddenly it works... gcloud bug. – Naor Nov 22 '18 at 09:01
  • What did you try? What are you trying to do? – Rico Aug 27 '19 at 23:19
3

In my case, these 2 steps solved my issue:

  1. In the command,
gcloud container clusters get-credentials my-cluster-1 --zone=asia-south1-a -- 
project=thelab-240901

the --project should have the projectID value, not the project name

  1. In the your travis account, go to your project repository -> more options -> settings -> Environment Variables. Now make sure you have only one set of encrypted_iv and encrypted_key environment variables as follows:

enter image description here

If you have encrypted different service accounts (json key files), this could add more than one set of encrypted_iv and encrypted_key environment variables. So, delete all those variables and freshly create the encrypted keys, may be by using travis encrypt-file --pro yourServiceAccountJSONFile.json --add

vagdevi k
  • 1,478
  • 9
  • 25
2

The details of the above mentioned errors are explained in this help center article.

To add the Kubernetes Engine Service account (if you don't have it), please run the following command, in order to properly recreate the Kubernetes Service Account with the "Kubernetes Engine Service Agent" role,

gcloud services enable container.googleapis.com
Digil
  • 742
  • 4
  • 12
2

Step 1 : gcloud init

Step 2 : Select [2] Create a new configuration

Step 3 : Enter configuration name. Names start with a lower case letter and contain only lower case letters a-z, digits 0-9, and hyphens '-': kubernetes-service-account

Step 4 : Choose the account you would like to use to perform operations for this configuration:[2] Log in with a new account

Step 5 : Do you want to continue (Y/n)? y

Step 6 : Copy paste the link to brwoser and login with the ID which is used to create your google Cloud Account

Step 7 : Copy the verification code provided by google after login and paste it in to the console.

Step 8 : Pick cloud project to use:

Step 9: Do you want to configure a default Compute Region and Zone? (Y/n)? y

Step 10 : Please enter numeric choice or text value (must exactly match list item): 8

Your Google Cloud SDK is configured and ready to use!

Robin Varghese
  • 1,158
  • 10
  • 22
1

I had this problem using gcloud with my main owner account (!)

What fixed it was including --zone and --project params in the command to get the kubectl credentials.

Jason Wheeler
  • 872
  • 1
  • 9
  • 23
0

I faced this issue with different scenarios, Listing it down below hope it will help someone.

1. If you did a fresh installation of google-cloud-sdk then you must login 
with gcloud using the below command.

gcloud auth login

The above command will open ur browser and ask for login with your GCP account.

2. Sometimes provisioning is not reflected. Hence i revoke my provision and granted access (In this case my role is Owner) again. Then it worked.
sujithramanathan
  • 915
  • 9
  • 8
0

I was getting the same error when trying to connect to my newly created cluster:

gcloud container clusters get-credentials <foo-cluster> --zone europe-central2-a --project <foo-project>
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/foo-project/zones/europe-central2-a/clusters/foo-cluster".

I tried a few things:

  1. I enabled Kuberentes API - no success

  2. I added a key to service account and loged in using downloaded key:

    gcloud auth activate-service-account --key-file=<path-to-the-downloaded-json-file>/foo-project-xxxx.json
Activated service account credentials for: [xxxx-compute@developer.gserviceaccount.com]

  3. I run:

    gcloud components update

  4. However, I had a problem retriving data, all kubectl command were giving TLS handshake timeout, for example: kubectl get namespace was giving an error:

        Unable to connect to the server: net/http: TLS handshake timeout

  5. This is when I tried again:

    gcloud container clusters get-credentials <foo-cluster> --zone europe-central2-a --project <foo-project>

and it worked

    Fetching cluster endpoint and auth data.
    kubeconfig entry generated for foo-project.
Marcin Kulik
  • 845
  • 1
  • 12
  • 28