skip to Main Content

I’m trying to push my Docker images to GCP Artifact Registry and eventually deploy to GKE. Authenticating is going successfully, however, the ‘get credentials’ step keeps giving me this error:

Error: google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s) for "projects/***/locations/***/clusters/***".

I have given my IAM user the following roles:

  • Container Analysis Admin
  • Editor
  • Kubernetes Engine Admin
  • Kubernetes Engine Cluster Admin
  • Kubernetes Engine Cluster Viewer
  • Kubernetes Engine Developer
  • Storage Admin

enter image description here

My GitHub workflow yaml file:

name: Deploy to GKE

on:
push:
branches:
- main

jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2

      - name: Set up Google Cloud CLI and SDK
        uses: google-github-actions/[email protected]
        with:
          service_account_key: ${{ secrets.GCP_SA_KEY }}
          project_id: ${{ secrets.GCP_PROJECT }}
        
      - name: Configure Docker
        run: |
            gcloud --quiet auth configure-docker
    
      - name: Authenticate to GCP
        uses: google-github-actions/auth@v2
        with:
          credentials_json: ${{ secrets.GCP_SA_KEY }}
                  
      - name: Get credentials
        uses: google-github-actions/get-gke-credentials@v2
        with:
          cluster_name: ${{ secrets.GKE_CLUSTER }}
          location: ${{ secrets.GKE_ZONE }}
    
      - name: Build and push Docker images
        run: |
          docker build -t ${{ secrets.GKE_ZONE }}-docker.pkg.dev/${{secrets.GCP_PROJECT}}/reponame/apigateway:latest ./ApiGateway
          docker build -t ${{ secrets.GKE_ZONE }}-docker.pkg.dev/${{secrets.GCP_PROJECT}}/reponame/likeservice:latest ./LikeService

and so on...

name: Apply Kubernetes manifests
run: |
kubectl apply -f K8S/mongo-config.yaml
kubectl apply -f K8S/mongo-secret.yaml
kubectl apply -f K8S/mongo-pv-storage.yaml

and so on...

The GitHub Secrets have been added to the repository.

The cluster is in us-central1-c and the artifact registry in us-central1 (Iowa).

How can this issue be solved?

2

Answers


  1. If you’re using service account to authenticate and access the ACR and GKE Cluster you must have the following roles/permissions

    This roles should be assigned to the service account on the IAM.

    Login or Signup to reply.
  2. I got auth working using the newer, preferred "Direct Workload Identity Federation" option of google-github-actions/auth. There is no service account involved. It was difficult because the readmes do not tell you enough to get any kubectl commands working (go figure), but hopefully my answer can fill in the gaps – google-github-actions/get-gke-credentials failed with: required "container.clusters.get" permission(s).

    The key concept to understand is that you are binding IAM roles to specific scenarios – calls containing specific properties (which can be trusted because they’re in tokens from GitHub Actions). You aren’t binding roles to users or accounts. This is the key concept that all of the documentation, even the gCloud documentation, fails to establish before explaining all the painful details.

    Once you do get it working though, it is nice.

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search