K
Q

Keep getting permissions error gcloud.container.clusters.get-credentials

11/21/2018

I am trying to integrate CircleCi with gcloud Kubernetes engine.

  1. I created a service account with Kubernetes Engine Developer and Storage Admin roles.
  2. Created CircleCi yaml file and configured CI.

Part of my yaml file includes:

docker:
            - image: google/cloud-sdk
        environment:
            - PROJECT_NAME: 'my-project'
            - GOOGLE_PROJECT_ID: 'my-project-112233'
            - GOOGLE_COMPUTE_ZONE: 'us-central1-a'
            - GOOGLE_CLUSTER_NAME: 'my-project-bed'
        steps:
            - checkout
            - run:
                  name: Setup Google Cloud SDK
                  command: |
                      apt-get install -qq -y gettext
                      echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
                      gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
                      gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
                      gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
                      gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}

Everything runs perfectly except that the last command:

gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}

It keeps failing with the error:

ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/my-project-112233/zones/us-central1-a/clusters/my-project-bed". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.

I tried to give the ci account the role of project owner but I still got that error.

I tried to disable and re-enable the Kubernetes Service but it didn't help.

Any idea how to solve this? I am trying to solve it for 4 days...

-- Naor
circleci
gcloud
google-kubernetes-engine
kubernetes

Similar Questions

Shell (ssh) into Azure AKS (Kubernetes) cluster worker node
Parse specific application messages out of container logs with Fluentd on Kubernetes
Creating a service in AKS with type=LoadBalancer
Deploying an NFS Server in K8S and exposing it externally

3 Answers

11/22/2018

The details of the above mentioned errors are explained in this help center article.

To add the Kubernetes Engine Service account (if you don't have it), please run the following command, in order to properly recreate the Kubernetes Service Account with the "Kubernetes Engine Service Agent" role,

gcloud services enable container.googleapis.com
-- Digil
Source: StackOverflow
6/13/2019

Step 1 : gcloud init

Step 2 : Select [2] Create a new configuration

Step 3 : Enter configuration name. Names start with a lower case letter and contain only lower case letters a-z, digits 0-9, and hyphens '-': kubernetes-service-account

Step 4 : Choose the account you would like to use to perform operations for this configuration:[2] Log in with a new account

Step 5 : Do you want to continue (Y/n)? y

Step 6 : Copy paste the link to brwoser and login with the ID which is used to create your google Cloud Account

Step 7 : Copy the verification code provided by google after login and paste it in to the console.

Step 8 : Pick cloud project to use:

Step 9: Do you want to configure a default Compute Region and Zone? (Y/n)? y

Step 10 : Please enter numeric choice or text value (must exactly match list item): 8

Your Google Cloud SDK is configured and ready to use!

-- Robin Varghese
Source: StackOverflow
11/21/2018

I believe it's not the CI Service account but the k8s service account used to manage your GKE cluster, where its email should look like this (Somebody must have deleted it):

k8s-service-account@<project-id>.iam.gserviceaccount.com

sa

You can re-create it an give it project owner permissions.

recreate

-- Rico
Source: StackOverflow