I’m trying to push my Docker images to GCP Artifact Registry and eventually deploy to GKE. Authenticating is going successfully, however, the ‘get credentials’ step keeps giving me this error:
Error: google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s) for "projects/***/locations/***/clusters/***".
I have given my IAM user the following roles:
- Container Analysis Admin
- Editor
- Kubernetes Engine Admin
- Kubernetes Engine Cluster Admin
- Kubernetes Engine Cluster Viewer
- Kubernetes Engine Developer
- Storage Admin
My GitHub workflow yaml file:
name: Deploy to GKE
on:
push:
branches:
- main
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up Google Cloud CLI and SDK
uses: google-github-actions/[email protected]
with:
service_account_key: ${{ secrets.GCP_SA_KEY }}
project_id: ${{ secrets.GCP_PROJECT }}
- name: Configure Docker
run: |
gcloud --quiet auth configure-docker
- name: Authenticate to GCP
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_SA_KEY }}
- name: Get credentials
uses: google-github-actions/get-gke-credentials@v2
with:
cluster_name: ${{ secrets.GKE_CLUSTER }}
location: ${{ secrets.GKE_ZONE }}
- name: Build and push Docker images
run: |
docker build -t ${{ secrets.GKE_ZONE }}-docker.pkg.dev/${{secrets.GCP_PROJECT}}/reponame/apigateway:latest ./ApiGateway
docker build -t ${{ secrets.GKE_ZONE }}-docker.pkg.dev/${{secrets.GCP_PROJECT}}/reponame/likeservice:latest ./LikeService
and so on...
name: Apply Kubernetes manifests
run: |
kubectl apply -f K8S/mongo-config.yaml
kubectl apply -f K8S/mongo-secret.yaml
kubectl apply -f K8S/mongo-pv-storage.yaml
and so on...
The GitHub Secrets have been added to the repository.
The cluster is in us-central1-c and the artifact registry in us-central1 (Iowa).
How can this issue be solved?
2
Answers
If you’re using service account to authenticate and access the ACR and GKE Cluster you must have the following roles/permissions
Artifact Registry Repository Administrator (roles/artifactregistry.repoAdmin)
Kubernetes Engine Cluster Admin (roles/container.clusterAdmin)
This roles should be assigned to the service account on the IAM.
I got auth working using the newer, preferred "Direct Workload Identity Federation" option of google-github-actions/auth. There is no service account involved. It was difficult because the readmes do not tell you enough to get any kubectl commands working (go figure), but hopefully my answer can fill in the gaps – google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s).
The key concept to understand is that you are binding IAM roles to specific scenarios – calls containing specific properties (which can be trusted because they’re in tokens from GitHub Actions). You aren’t binding roles to users or accounts. This is the key concept that all of the documentation, even the gCloud documentation, fails to establish before explaining all the painful details.
Once you do get it working though, it is nice.