Keep getting permissions error gcloud.container.clusters.get-credentials

Question

I am trying to integrate CircleCi with gcloud Kubernetes engine.

1. I created a service account with Kubernetes Engine Developer and Storage Admin roles.
2. Created CircleCi yaml file and configured CI.

Part of my yaml file includes:

docker:
            - image: google/cloud-sdk
        environment:
            - PROJECT_NAME: 'my-project'
            - GOOGLE_PROJECT_ID: 'my-project-112233'
            - GOOGLE_COMPUTE_ZONE: 'us-central1-a'
            - GOOGLE_CLUSTER_NAME: 'my-project-bed'
        steps:
            - checkout
            - run:
                  name: Setup Google Cloud SDK
                  command: |
                      apt-get install -qq -y gettext
                      echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
                      gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
                      gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
                      gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
                      gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}

Everything runs perfectly except that the last command:

gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}

It keeps failing with the error:

ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/my-project-112233/zones/us-central1-a/clusters/my-project-bed". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.

I tried to give the ci account the role of project owner but I still got that error.

I tried to disable and re-enable the Kubernetes Service but it didn't help.

Any idea how to solve this? I am trying to solve it for 4 days...

Answer 1

I believe it's not the CI Service account but the k8s service account used to manage your GKE cluster, where its email should look like this (Somebody must have deleted it):

k8s-service-account@<project-id>.iam.gserviceaccount.com

You can re-create it an give it project owner permissions.

Answer 2

This is an old thread, this is how this issue handled today in case using cloud build :

Granting Cloud Build access to GKE

To deploy the application in your Kubernetes cluster, Cloud Build needs the Kubernetes Engine Developer Identity and Access Management Role.

Get Project Number:

PROJECT_NUMBER="$(gcloud projects describe ${PROJECT_ID} --format='get(projectNumber)')"

Add IAM Policy bindings:

gcloud projects add-iam-policy-binding ${PROJECT_NUMBER} \
    --member=serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com \
    --role=roles/container.developer

More info can be found here.

Answer 3

Step 1 : gcloud init

Step 2 : Select [2] Create a new configuration

Step 3 : Enter configuration name. Names start with a lower case letter and contain only lower case letters a-z, digits 0-9, and hyphens '-': kubernetes-service-account

Step 4 : Choose the account you would like to use to perform operations for this configuration:[2] Log in with a new account

Step 5 : Do you want to continue (Y/n)? y

Step 6 : Copy paste the link to brwoser and login with the ID which is used to create your google Cloud Account

Step 7 : Copy the verification code provided by google after login and paste it in to the console.

Step 8 : Pick cloud project to use:

Step 9: Do you want to configure a default Compute Region and Zone? (Y/n)? y

Step 10 : Please enter numeric choice or text value (must exactly match list item): 8

Your Google Cloud SDK is configured and ready to use!