Authenticate to GKE cluster without setting GOOGLE_APPLICATION_CREDENTIALS environment variable

Question

What is the best way to authenticate to a GKE cluster without actually setting env variables for GOOGLE_APPLICATION_CREDENTIALS or KUBECONFIG. I have an application running on a container which has to communicate with multiple GKE clusters at once. Hence I am trying to generate the kubeconfig yaml file on the fly like so. But when I try to run any kubectl commands I get a non authorized error as it is expecting the service account creds to be set in the environment variable. Is there any way to actually avoid this and auth to multiple clusters on the fly by generating the kubeconfig file ?

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: {{.CertData}}
    server: {{.MasterURL}}
  name: {{.ClusterName}}
contexts:
- context:
    cluster: {{.ClusterName}}
    user: {{.ClusterName}}
  name: {{.ClusterName}}
current-context: {{.ClusterName}}
kind: Config
preferences: {}
users:
- name: {{.ClusterName}}
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: /usr/local/bin/gcloud/google-cloud-sdk/bin/gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: {{.ClusterName}}

Why don't you use Workload Identity? – guillaume blaquiere Jun 15 '22 at 19:16 — guillaume blaquiere, Jun 15 '22 at 19:16

score 1 · Accepted Answer · answered Jun 15 '22 at 20:01

I ended up using oauth2 to generate a token and inpute that value in the kubeconfig token.

Sample code to extract the token


func getGKEToken(creds []byte, ctx context.Context) (string, error){
    var token *oauth2.Token
    scopes := []string{"https://www.googleapis.com/auth/cloud-platform",}
    cred, err := auth.CredentialsFromJSON(ctx, creds, scopes...)
    if err != nil {
        fmt.Printf("Failed to authenticate using credentials to extract token. Error %s \n", err.Error())
        return "", err
    }
    
    token, err = cred.TokenSource.Token()
    if err != nil {
        return "", err
    }

    return token.AccessToken, nil
}

GKE kubeconfig template

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: {{.CertData}}
    server: {{.MasterURL}}
  name: {{.ClusterName}}
contexts:
- context:
    cluster: {{.ClusterName}}
    user: {{.ClusterName}}
  name: {{.ClusterName}}
current-context: {{.ClusterName}}
kind: Config
preferences: {}
users:
- name: {{.ClusterName}}
  user:
    token: {{.AccessToken}}

Authenticate to GKE cluster without setting GOOGLE_APPLICATION_CREDENTIALS environment variable

1 Answers1