Authorizing the Google Cloud SDK
This document explains how to install and authorize the Google Cloud SDK in your primary container.
- Installing the Google Cloud SDK
- Creating and storing a service account
- Authenticating to Google Container Registry
- Authorization
Overview
The Google Cloud SDK is a powerful set of tools that can be used to access Google Cloud Platform (GCP) services like Google Compute Engine and Google Kubernetes Engine. On CircleCI, the Google Cloud SDK is recommended to deploy your application to GCP products.
Prerequisites
- A CircleCI project.
- A GCP project.
Installing the Google Cloud SDK
If Debian is an acceptable operating system for your primary container, consider using Google’s base Docker image. You can find this image on DockerHub as google/cloud-sdk.
Otherwise, follow the Google Cloud SDK installation instructions for your base image’s operating system.
Creating and storing a service account
Before you can use any tools in the Google Cloud SDK, you must authorize gcloud. Google offers two types of authorization: user accounts and service accounts. Because you are installing the Cloud SDK on CircleCI, the service account is the appropriate choice.
-
Create a service account by following Steps 1-3 of Google’s instructions. Remember to download the JSON-formatted key file.
-
Add the key file to CircleCI as a project environment variable. In this example, the variable is named
GCLOUD_SERVICE_KEY. Using this particular name is not required, but it will be used throughout the examples in this document. -
For convenience, add two more environment variables to your CircleCI project:
-
GOOGLE_PROJECT_ID: the ID of your GCP project. -
GOOGLE_COMPUTE_ZONE: the default compute zone.
-
Adding granular permissions
If you are having issues pushing container images to GCR you may need more granular permissions than the default service account provides. You can grant permission changes in the Cloud Storage IAM Console.
Refer to the Cloud Storage permission documentation to learn more about Identity and Access Management (IAM) permissions.
Authenticating to Google Container Registry
Depending on the base Docker image you chose, you may have to authenticate to the Google Container Registry.
version: 2.1
jobs:
deploy:
docker:
- image: google/cloud-sdk
auth:
username: mydockerhub-user
password: $DOCKERHUB_PASSWORD # context / project UI env-var reference
If you are using a custom image, you must authenticate to GCR. Use the auth key to specify credentials.
version: 2.1
jobs:
deploy:
docker:
- image: gcr.io/project/<image-name>
auth:
username: _json_key # default username when using a JSON key file to authenticate
password: $GCLOUD_SERVICE_KEY # JSON service account you created, do not encode to base64
Note: If base64 encoding is required for your particular workflow, use the following command:
cat <file> | base64 -w 0
Authorization
Use gcloud to authorize the Google Cloud SDK and set several default settings. Before executing this command, make sure to write the key to a file before running this command, otherwise, the key file will be interpreted as a .p12 file.
version: 2.1
jobs:
deploy:
docker:
- image: google/cloud-sdk
auth:
username: mydockerhub-user
password: $DOCKERHUB_PASSWORD # context / project UI env-var reference
steps:
- run: |
echo $GCLOUD_SERVICE_KEY | gcloud auth activate-service-account --key-file=-
gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}
Note: If you are using a custom base image, ensure that you have the most recent components by adding the following command before authorizing the SDK.
sudo gcloud --quiet components update
Help make this document better
This guide, as well as the rest of our docs, are open source and available on GitHub. We welcome your contributions.
- Suggest an edit to this page (please read the contributing guide first).
- To report a problem in the documentation, or to submit feedback and comments, please open an issue on GitHub.
- CircleCI is always seeking ways to improve your experience with our platform. If you would like to share feedback, please join our research community.
Need support?
Our support engineers are available to help with service issues, billing, or account related questions, and can help troubleshoot build configurations. Contact our support engineers by opening a ticket.
You can also visit our support site to find support articles, community forums, and training resources.
CircleCI Documentation by CircleCI is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
