Keep getting permissions error gcloud.container.clusters.get-credentials
up vote
1
down vote
favorite
I am trying to integrate CircleCi with gcloud Kubernetes engine.
- I created a service account with Kubernetes Engine Developer and Storage Admin roles.
- Created CircleCi yaml file and configured CI.
Part of my yaml file includes:
docker:
- image: google/cloud-sdk
environment:
- PROJECT_NAME: 'my-project'
- GOOGLE_PROJECT_ID: 'my-project-112233'
- GOOGLE_COMPUTE_ZONE: 'us-central1-a'
- GOOGLE_CLUSTER_NAME: 'my-project-bed'
steps:
- checkout
- run:
name: Setup Google Cloud SDK
command: |
apt-get install -qq -y gettext
echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
Everything runs perfectly except that the last command:
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
It keeps failing with the error:
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/my-project-112233/zones/us-central1-a/clusters/my-project-bed". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.
I tried to give the ci account the role of project owner but I still got that error.
I tried to disable and re-enable the Kubernetes Service but it didn't help.
Any idea how to solve this? I am trying to solve it for 4 days...
kubernetes gcloud circleci google-kubernetes-engine edited Nov 21 at 22:42
Rico
24.8k94864
asked Nov 21 at 21:43
Naor
9,75434116223
add a comment |
up vote
1
down vote
favorite
I am trying to integrate CircleCi with gcloud Kubernetes engine.
- I created a service account with Kubernetes Engine Developer and Storage Admin roles.
- Created CircleCi yaml file and configured CI.
Part of my yaml file includes:
docker:
- image: google/cloud-sdk
environment:
- PROJECT_NAME: 'my-project'
- GOOGLE_PROJECT_ID: 'my-project-112233'
- GOOGLE_COMPUTE_ZONE: 'us-central1-a'
- GOOGLE_CLUSTER_NAME: 'my-project-bed'
steps:
- checkout
- run:
name: Setup Google Cloud SDK
command: |
apt-get install -qq -y gettext
echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
Everything runs perfectly except that the last command:
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
It keeps failing with the error:
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/my-project-112233/zones/us-central1-a/clusters/my-project-bed". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.
I tried to give the ci account the role of project owner but I still got that error.
I tried to disable and re-enable the Kubernetes Service but it didn't help.
Any idea how to solve this? I am trying to solve it for 4 days...
kubernetes gcloud circleci google-kubernetes-engine edited Nov 21 at 22:42
Rico
24.8k94864
asked Nov 21 at 21:43
Naor
9,75434116223
add a comment |
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I am trying to integrate CircleCi with gcloud Kubernetes engine.
- I created a service account with Kubernetes Engine Developer and Storage Admin roles.
- Created CircleCi yaml file and configured CI.
Part of my yaml file includes:
docker:
- image: google/cloud-sdk
environment:
- PROJECT_NAME: 'my-project'
- GOOGLE_PROJECT_ID: 'my-project-112233'
- GOOGLE_COMPUTE_ZONE: 'us-central1-a'
- GOOGLE_CLUSTER_NAME: 'my-project-bed'
steps:
- checkout
- run:
name: Setup Google Cloud SDK
command: |
apt-get install -qq -y gettext
echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
Everything runs perfectly except that the last command:
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
It keeps failing with the error:
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/my-project-112233/zones/us-central1-a/clusters/my-project-bed". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.
I tried to give the ci account the role of project owner but I still got that error.
I tried to disable and re-enable the Kubernetes Service but it didn't help.
Any idea how to solve this? I am trying to solve it for 4 days...
kubernetes gcloud circleci google-kubernetes-engine edited Nov 21 at 22:42
Rico
24.8k94864
asked Nov 21 at 21:43
Naor
9,75434116223
I am trying to integrate CircleCi with gcloud Kubernetes engine.
- I created a service account with Kubernetes Engine Developer and Storage Admin roles.
- Created CircleCi yaml file and configured CI.
Part of my yaml file includes:
docker:
- image: google/cloud-sdk
environment:
- PROJECT_NAME: 'my-project'
- GOOGLE_PROJECT_ID: 'my-project-112233'
- GOOGLE_COMPUTE_ZONE: 'us-central1-a'
- GOOGLE_CLUSTER_NAME: 'my-project-bed'
steps:
- checkout
- run:
name: Setup Google Cloud SDK
command: |
apt-get install -qq -y gettext
echo $GCLOUD_SERVICE_KEY > ${HOME}/gcloud-service-key.json
gcloud auth activate-service-account --key-file=${HOME}/gcloud-service-key.json
gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
Everything runs perfectly except that the last command:
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
It keeps failing with the error:
ERROR: (gcloud.container.clusters.get-credentials) ResponseError: code=403, message=Required "container.clusters.get" permission(s) for "projects/my-project-112233/zones/us-central1-a/clusters/my-project-bed". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.
I tried to give the ci account the role of project owner but I still got that error.
I tried to disable and re-enable the Kubernetes Service but it didn't help.
Any idea how to solve this? I am trying to solve it for 4 days...
kubernetes gcloud circleci google-kubernetes-engine kubernetes gcloud circleci google-kubernetes-engine edited Nov 21 at 22:42
Rico
24.8k94864
asked Nov 21 at 21:43
Naor
9,75434116223
edited Nov 21 at 22:42
Rico
24.8k94864
asked Nov 21 at 21:43
Naor
9,75434116223
edited Nov 21 at 22:42
Rico
24.8k94864
edited Nov 21 at 22:42
Rico
24.8k94864
edited Nov 21 at 22:42
Rico
24.8k94864
24.8k94864
asked Nov 21 at 21:43
Naor
9,75434116223
asked Nov 21 at 21:43
Naor
9,75434116223
asked Nov 21 at 21:43
Naor
9,75434116223
9,75434116223
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
up vote
0
down vote
accepted
I believe it's not the CI Service account but the k8s service account used to manage your GKE cluster, where its email should look like this (Somebody must have deleted it):
k8s-service-account@<project-id>.iam.gserviceaccount.com
You can re-create it an give it project owner permissions.
answered Nov 21 at 22:53
Rico
24.8k94864
I don't have such account. Maybe you refer to this account: "service-448608612002@container-engine-robot.iam.gserviceaccount.com"?
– Naor
Nov 21 at 23:03
You need to create it. No not that one.
– Rico
Nov 21 at 23:06
Suppose I create it, what do I do with it? Who will use it?
– Naor
Nov 21 at 23:08
This will use itgcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
– Rico
Nov 21 at 23:12
1
I removed the account and created it again with the same name and roles. And suddenly it works... gcloud bug.
– Naor
Nov 22 at 9:01
|
show 2 more comments
up vote
0
down vote
The details of the above mentioned errors are explained in this help center article.
To add the Kubernetes Engine Service account (if you don't have it), please run the following command, in order to properly recreate the Kubernetes Service Account with the "Kubernetes Engine Service Agent" role,
gcloud services enable container.googleapis.com
answered Nov 22 at 17:00
Digil
30019
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
I believe it's not the CI Service account but the k8s service account used to manage your GKE cluster, where its email should look like this (Somebody must have deleted it):
k8s-service-account@<project-id>.iam.gserviceaccount.com
You can re-create it an give it project owner permissions.
answered Nov 21 at 22:53
Rico
24.8k94864
I don't have such account. Maybe you refer to this account: "service-448608612002@container-engine-robot.iam.gserviceaccount.com"?
– Naor
Nov 21 at 23:03
You need to create it. No not that one.
– Rico
Nov 21 at 23:06
Suppose I create it, what do I do with it? Who will use it?
– Naor
Nov 21 at 23:08
This will use itgcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
– Rico
Nov 21 at 23:12
1
I removed the account and created it again with the same name and roles. And suddenly it works... gcloud bug.
– Naor
Nov 22 at 9:01
|
show 2 more comments
up vote
0
down vote
accepted
I believe it's not the CI Service account but the k8s service account used to manage your GKE cluster, where its email should look like this (Somebody must have deleted it):
k8s-service-account@<project-id>.iam.gserviceaccount.com
You can re-create it an give it project owner permissions.
answered Nov 21 at 22:53
Rico
24.8k94864
I don't have such account. Maybe you refer to this account: "service-448608612002@container-engine-robot.iam.gserviceaccount.com"?
– Naor
Nov 21 at 23:03
You need to create it. No not that one.
– Rico
Nov 21 at 23:06
Suppose I create it, what do I do with it? Who will use it?
– Naor
Nov 21 at 23:08
This will use itgcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
– Rico
Nov 21 at 23:12
1
I removed the account and created it again with the same name and roles. And suddenly it works... gcloud bug.
– Naor
Nov 22 at 9:01
|
show 2 more comments
up vote
0
down vote
accepted
up vote
0
down vote
accepted
I believe it's not the CI Service account but the k8s service account used to manage your GKE cluster, where its email should look like this (Somebody must have deleted it):
k8s-service-account@<project-id>.iam.gserviceaccount.com
You can re-create it an give it project owner permissions.
answered Nov 21 at 22:53
Rico
24.8k94864
I believe it's not the CI Service account but the k8s service account used to manage your GKE cluster, where its email should look like this (Somebody must have deleted it):
k8s-service-account@<project-id>.iam.gserviceaccount.com
You can re-create it an give it project owner permissions.
answered Nov 21 at 22:53
Rico
24.8k94864
answered Nov 21 at 22:53
Rico
24.8k94864
answered Nov 21 at 22:53
Rico
24.8k94864
answered Nov 21 at 22:53
Rico
24.8k94864
24.8k94864
I don't have such account. Maybe you refer to this account: "service-448608612002@container-engine-robot.iam.gserviceaccount.com"?
– Naor
Nov 21 at 23:03
You need to create it. No not that one.
– Rico
Nov 21 at 23:06
Suppose I create it, what do I do with it? Who will use it?
– Naor
Nov 21 at 23:08
This will use itgcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
– Rico
Nov 21 at 23:12
1
I removed the account and created it again with the same name and roles. And suddenly it works... gcloud bug.
– Naor
Nov 22 at 9:01
|
show 2 more comments
I don't have such account. Maybe you refer to this account: "service-448608612002@container-engine-robot.iam.gserviceaccount.com"?
– Naor
Nov 21 at 23:03
You need to create it. No not that one.
– Rico
Nov 21 at 23:06
Suppose I create it, what do I do with it? Who will use it?
– Naor
Nov 21 at 23:08
This will use itgcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}
– Rico
Nov 21 at 23:12
1
I removed the account and created it again with the same name and roles. And suddenly it works... gcloud bug.
– Naor
Nov 22 at 9:01
I don't have such account. Maybe you refer to this account: "service-448608612002@container-engine-robot.iam.gserviceaccount.com"?
– Naor
Nov 21 at 23:03
I don't have such account. Maybe you refer to this account: "service-448608612002@container-engine-robot.iam.gserviceaccount.com"?
– Naor
Nov 21 at 23:03
You need to create it. No not that one.
– Rico
Nov 21 at 23:06
You need to create it. No not that one.
– Rico
Nov 21 at 23:06
Suppose I create it, what do I do with it? Who will use it?
– Naor
Nov 21 at 23:08
Suppose I create it, what do I do with it? Who will use it?
– Naor
Nov 21 at 23:08
This will use it
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}– Rico
Nov 21 at 23:12
This will use it
gcloud --quiet container clusters get-credentials ${GOOGLE_CLUSTER_NAME}– Rico
Nov 21 at 23:12
1
1
I removed the account and created it again with the same name and roles. And suddenly it works... gcloud bug.
– Naor
Nov 22 at 9:01
I removed the account and created it again with the same name and roles. And suddenly it works... gcloud bug.
– Naor
Nov 22 at 9:01
|
show 2 more comments
up vote
0
down vote
The details of the above mentioned errors are explained in this help center article.
To add the Kubernetes Engine Service account (if you don't have it), please run the following command, in order to properly recreate the Kubernetes Service Account with the "Kubernetes Engine Service Agent" role,
gcloud services enable container.googleapis.com
answered Nov 22 at 17:00
Digil
30019
add a comment |
up vote
0
down vote
The details of the above mentioned errors are explained in this help center article.
To add the Kubernetes Engine Service account (if you don't have it), please run the following command, in order to properly recreate the Kubernetes Service Account with the "Kubernetes Engine Service Agent" role,
gcloud services enable container.googleapis.com
answered Nov 22 at 17:00
Digil
30019
add a comment |
up vote
0
down vote
up vote
0
down vote
The details of the above mentioned errors are explained in this help center article.
To add the Kubernetes Engine Service account (if you don't have it), please run the following command, in order to properly recreate the Kubernetes Service Account with the "Kubernetes Engine Service Agent" role,
gcloud services enable container.googleapis.com
answered Nov 22 at 17:00
Digil
30019
The details of the above mentioned errors are explained in this help center article.
To add the Kubernetes Engine Service account (if you don't have it), please run the following command, in order to properly recreate the Kubernetes Service Account with the "Kubernetes Engine Service Agent" role,
gcloud services enable container.googleapis.com
answered Nov 22 at 17:00
Digil
30019
answered Nov 22 at 17:00
Digil
30019
answered Nov 22 at 17:00
Digil
30019
answered Nov 22 at 17:00
Digil
30019
30019
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53420870%2fkeep-getting-permissions-error-gcloud-container-clusters-get-credentials%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
