Why do I get "get-credentials requires edit permission" error in gcloud on my terminal, when it succeeds in Cloud Shell?

Question

From my laptop, I am able to execute most gcloud commands, for example creating a cluster and many other commands. I have the Project Owner role.

But when I try to get credentials for a K8s cluster, I get a permission error. But in Cloud Shell, the command succeeds.

The logged-in account is the same in both.

% gcloud container clusters get-credentials my-first-cluster-1 --zone us-central1-c --project my-project
Fetching cluster endpoint and auth data.
ERROR: (gcloud.container.clusters.get-credentials) get-credentials requires edit permission on my-project
$ gcloud config list account --format "value(core.account)"
<MY EMAIL>

But in Cloud Shell, this succeeds!

$ gcloud container clusters get-credentials my-first-cluster-1 --zone us-central1-c --project my-project
Fetching cluster endpoint and auth data.
kubeconfig entry generated for my-first-cluster-1.
$ gcloud config list account --format "value(core.account)"
<MY EMAIL>

Answer 1

The error message is indeed incorrect and not very helpful in this case. This issue occurs when the gcloud config value container/use_client_certificate is set to True but no client certificate has been configured (note that client certificate is a legacy authentication method and is disabled by default for clusters created with GKE 1.12 and higher.). Setting it to False via the following gcloud command solves this issue:

gcloud config set container/use_client_certificate False

This config value is set to False by default in Cloud Shell, which explains the different behavior you experienced.