The instructions below describe how to set up authentication credentials for managing GKE clusters through Banzai Cloud Pipeline.
If you are more comfortable with the gcloud
command line interface, jump to Method 2.
Method 1: Google Cloud web console 🔗︎
To obtain the credentials for managing GKE clusters with Banzai Cloud Pipeline, you will need to do the following steps:
- Create a new project
- Enable APIs and Services for the project
- Create a service account
- Assign roles to the service account
Create a new project 🔗︎
Log in to the Google Cloud Console and create a new project.
Type in a name for the project (e.g. GkeClusters
) and select the Organization
the created project is to be attached to, as well as the Location
.
Click CREATE
Wait for the API and its related services to be enabled. This may take several minutes.
Make sure that billing is enabled for your project. For details on how to enable billing for a project, follow this guide.
Enable APIs and Services for the project 🔗︎
Enable the use of the following APIs and Services
- Kubernetes Engine API
- Compute Engine API
- Cloud Resource Manager API
- Google Cloud Storage
- IAM Service Account Credentials API
by searching for and clicking on the items listed above.
e.g.: Kubernetes Engine API
Create a service account 🔗︎
Create a service account within the project.
Click CREATE SERVICE ACCOUNT and fill in Service account name
(e.g. gke-admin
).
Click CREATE to continue
Assign roles to the service account 🔗︎
This list allows you to try all features of Banzai Cloud Pipeline. Banzai Cloud offers a more granular list of permissions for its customers that consists of the permissions that are required for the features the customer decides to use.
Assign the following roles to the service account:
- Kubernetes Engine Admin
- Compute Admin
- Storage Admin
- Service Account Token Creator
- Service Account User
Click CONTINUE and create a key for the service account. A public/private key pair will be generated for the service account and downloaded to your machine. It serves as the only copy of your private key. You are responsible for storing that key securely.
Select JSON
as the format for the key file that you will download to your machine.
Click DONE
Method 2: Command line 🔗︎
Download and install the Google Cloud CLI: Cloud SDK
On macOS you can use Homebrew:
brew cask install google-cloud-sdk
Login to Google Cloud:
gcloud auth login
Create a new or reuse an existing project:
# Select an existing ...
$ gcloud projects list
PROJECT_ID NAME PROJECT_NUMBER
# or create a new project
$ gcloud projects create PROJECT_ID
Set the following shell variables:
SERVICE_ACCOUNT="gke-admin"
PROJECT="<PROJECT_ID>"
Select the project in the config:
gcloud config set project ${PROJECT}
Enable APIs and Services:
gcloud services enable \
container.googleapis.com \
compute.googleapis.com \
cloudresourcemanager.googleapis.com \
storage-component.googleapis.com \
iamcredentials.googleapis.com
Create a new service account:
gcloud iam service-accounts create ${SERVICE_ACCOUNT} \
--display-name "Service account used for managing GKE clusters"
Add the required roles to the newly created service account
for role in "roles/container.admin" "roles/compute.viewer" "roles/storage.admin" "roles/iam.serviceAccountTokenCreator" "roles/iam.serviceAccountUser"
do
gcloud projects add-iam-policy-binding ${PROJECT} \
--member serviceAccount:${SERVICE_ACCOUNT}@${PROJECT}.iam.gserviceaccount.com \
--role=${role}
done
Generate and save IAM keys:
gcloud iam service-accounts keys create ${PROJECT}.gcloud.json --iam-account=${SERVICE_ACCOUNT}@${PROJECT}.iam.gserviceaccount.com
Add this JSON key as a Google secret in Banzai Cloud Pipeline:
cat ${PROJECT}.gcloud.json