The instructions below describe how to set up authentication credentials for managing GKE clusters through Banzai Cloud Pipeline.

If you are more comfortable with the gcloud command line interface, jump to Method 2.

Method 1: Google Cloud web console 🔗︎

To obtain the credentials for managing GKE clusters with Banzai Cloud Pipeline, you will need to do the following steps:

Create a new project 🔗︎

Log in to the Google Cloud Console and create a new project.

Create Google Project

Type in a name for the project (e.g. GkeClusters) and select the Organization the created project is to be attached to, as well as the Location.

New Project

Click CREATE

Wait for the API and its related services to be enabled. This may take several minutes.

Project created

Make sure that billing is enabled for your project. For details on how to enable billing for a project, follow this guide.

Enable APIs and Services for the project 🔗︎

Enable APIs and Services

APIs and Services

Enable the use of the following APIs and Services

  • Kubernetes Engine API
  • Compute Engine API
  • Cloud Resource Manager API
  • Google Cloud Storage
  • IAM Service Account Credentials API

by searching for and clicking on the items listed above.

e.g.: Kubernetes Engine API Kubernetes Engine API

Create a service account 🔗︎

Create a service account within the project.

Service account

Click CREATE SERVICE ACCOUNT and fill in Service account name (e.g. gke-admin).

Service account details

Click CREATE to continue

Assign roles to the service account 🔗︎

This list allows you to try all features of Banzai Cloud Pipeline. Banzai Cloud offers a more granular list of permissions for its customers that consists of the permissions that are required for the features the customer decides to use.

Assign the following roles to the service account:

  • Kubernetes Engine Admin
  • Compute Admin
  • Storage Admin
  • Service Account Token Creator
  • Service Account User

Kubernetes Engine Admin

Compute Viewer Role

Service Account User Role

Click CONTINUE and create a key for the service account. A public/private key pair will be generated for the service account and downloaded to your machine. It serves as the only copy of your private key. You are responsible for storing that key securely.

Select JSON as the format for the key file that you will download to your machine.

Service account key

Service account key download

Click DONE

Method 2: Command line 🔗︎

Download and install the Google Cloud CLI: Cloud SDK

On macOS you can use Homebrew:

brew cask install google-cloud-sdk

Login to Google Cloud:

gcloud auth login

Create a new or reuse an existing project:

# Select an existing ...
$ gcloud projects list
PROJECT_ID  NAME  PROJECT_NUMBER

# or create a new project
$ gcloud projects create PROJECT_ID

Set the following shell variables:

SERVICE_ACCOUNT="gke-admin"
PROJECT="<PROJECT_ID>"

Select the project in the config:

gcloud config set project ${PROJECT}

Enable APIs and Services:

gcloud services enable \
    container.googleapis.com \
    compute.googleapis.com \
    cloudresourcemanager.googleapis.com \
    storage-component.googleapis.com \
    iamcredentials.googleapis.com

Create a new service account:

gcloud iam service-accounts create ${SERVICE_ACCOUNT} \
    --display-name "Service account used for managing GKE clusters"

Add the required roles to the newly created service account

for role in "roles/container.admin" "roles/compute.viewer" "roles/storage.admin" "roles/iam.serviceAccountTokenCreator" "roles/iam.serviceAccountUser"
do
    gcloud projects add-iam-policy-binding ${PROJECT} \
        --member serviceAccount:${SERVICE_ACCOUNT}@${PROJECT}.iam.gserviceaccount.com \
        --role=${role}
done

Generate and save IAM keys:

gcloud iam service-accounts keys create ${PROJECT}.gcloud.json --iam-account=${SERVICE_ACCOUNT}@${PROJECT}.iam.gserviceaccount.com

Add this JSON key as a Google secret in Banzai Cloud Pipeline:

cat ${PROJECT}.gcloud.json