How to get access to GKE with service account key

前言: 有一天, 我的同事詢問我:『如何設定 GKE Cluster Access for kubectl?!』 我回他:『你要在哪裡透過 kubectl 操作叢集。』 他回我:『專案委託他開發API 並容器化,透過 GTILAB PIPELINE 部署到GKE,但是他有上只有for Runner Server 用的 Cert key。』
我問他:『PIPELINE 的 deploy Job,是怎麼部署 service 的 deployment的!?』 他回我:『看不到 script 被藏起來了,但是他想在地端透過kubectl 來看 service running 狀態。』 我回他:『好!我幫你查查看,可以怎麼做』。

於是把過程記錄了下來。

  1. 首先我先拿到了 service account 的 key.

其內容大致長這樣。 cicd-sa@project-id.iam.gserviceaccount.com 是他的 service account email. project-id 是他的 service account 的 project id.

cat sa-cert.json
{
  "type": "service_account",
  "project_id": "project-id",
  "private_key_id": "1234567889xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "private_key": "-----BEGIN PRIVATE KEY-----\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/+PoTGiGF3SEo8xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+4htHvC\nsesOEKTP1sMZxEaxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/7hO6K/VRyT1t8TwOElhCVxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/IeVoYWsSp4FkDexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+\nnjq1yVuTGCFvCtGLi8NlVwDe7NUKrqSwjRNyA5F4Q44xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+oguUKxoWWaCsQKBgQDSlZC3w1fAreCd6r8F/ZHg76TbU0C88bFa\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+mV4da8mTSwytLTDc3Dtj5nHXgc2NOodcTY9AwSPldl\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/CVREwPsJJl3fNKcA5VD5rTl15SkE8k2NJl/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx+lyf\nKOyexe9Hsa2IcTJQ5Yxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/iFmX1Wb\nuYeCYCd6VKU8u8oMvMxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xaSZxLJwo\nne2fkDblz7P6m39mFnpsm7h8DDmzR5eHx5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  +VPi\nd13z8qvxy4VerA8SVXLucrRk\n-----END PRIVATE KEY-----\n",
  "client_email": "cicd-sa@project-id.iam.gserviceaccount.com",
  "client_id": "00000000000000000000",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cicd-sa%40cgh-hc-ut.iam.gserviceaccount.com"
}
  1. 接著我透過 gcloud auth activate-service-account 指定 sa-cert.json 來做 auth init,如果沒有出錯,這麼一來就設定成功了。

如果出現錯誤請檢查sa-cert.json 是否正確。 或是檢查local computer 的時間。

$ gcloud auth activate-service-account --key-file=sa-cert.json
# Activated service account credentials for cicd-sa@project-id.iam.gserviceaccount.com
  1. 你可以透過gcloud auth list 來確定是否設定成功。
$ gcloud auth list

Credentialed Accounts

ACTIVE  ACCOUNT
        your-account@mail.com
*       cicd-sa@cgh-hc-ut.iam.gserviceaccount.com

To set the active account, run:
    $ gcloud config set account ACCOUNT



Updates are available for some Cloud SDK components.  To install them,
please run:
  $ gcloud components update
  1. 接著我透過 gcloud container clusters get-credentials 指定 cluster-name 來做 get access for kubectl 。
$ gcloud container clusters get-credentials GKE_CLUSTER_NAME --region GKE_CLUSTER_REGION --project PROJECT_ID
# Fetching cluster endpoint and auth data. <- 出現此畫面則設定成功了。
  1. 接著我透過 kubectl get pods 查看 pod 狀態。
kubectl get pods
NAME                     READY   STATUS    RESTARTS   AGE
app-1-7d5cdf64f-4dgbg    1/1     Running   0          10m

參考:

2021年12月15日 Neil Kuan


NeilKuan

IAMGCPGKE

213 Words

2021-12-15 00:00 +0000