CircleCI: Authorizing the Google Cloud SDK
# Prerequisites
- Follow the steps outlined here Authorizing Cloud SDK tools: Authorizing with a service account. You should have downloaded a JSON file with service account credentials. Name this
key-file.json
. The structure of this file is given below.
key-file.json
:
{
"type": "service_account",
"project_id": "project_id",
"private_key_id": "private_key_id",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDY9QjNh89vZrS8\nKS1dNMqPRkVbefY9N5cMvw==\n-----END PRIVATE KEY-----\n",
"client_email": "client_email",
"client_id": "client_id",
"auth_uri": "auth_uri",
"token_uri": "token_uri",
"auth_provider_x509_cert_url": "auth_provider_x509_cert_url",
"client_x509_cert_url": "client_x509_cert_url"
}
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
- If you're planning on deploying in your CircleCI job, you should convert this to a single line using:
cat key-file.json | awk '{print}' ORS=' ' | pbcopy
1
or if that does not work:
cat key-file.json | awk '{print}' ORS='\\n' | pbcopy
1
Then add an environmental variable called GCLOUD_SERVICE_KEY
with the value of the previous command (a CTRL+V is enough as pbcopy
puts it into the clipboard).
# Makefile
This Makefile
uses the Google Cloud SDK Docker container and configures authentication using the key-file.json
which you downloaded. Note:
- You could have mounted a
volume
with the filekey-file.json
but I've chosen not to. - We've abstracted the authentication aspect into a variable,
COMMAND_GCLOUD_AUTHENTICATE
that is used byzones
andpods
. - We authorise Docker so pushing to Google Container Registry works, e.g,
docker push gcr.io/www-bana-io/www-bana-io:latest
. This is also why we mount the Docker socket,-v /var/run/docker.sock:/var/run/docker.sock
. - The flag
--quiet
runsgcloud
in non-interactive mode. You want this when running in CI.
COMMAND_GCLOUD_AUTHENTICATE:=set -x \
&& echo $${GCLOUD_SERVICE_KEY} > /tmp/gcloud-service-key.json \
&& gcloud auth activate-service-account --key-file=/tmp/gcloud-service-key.json \
&& gcloud --quiet config set project "circleci-google-cloud-sdk" \
&& gcloud --quiet config set compute/zone "europe-west2-a" \
&& gcloud --quiet container clusters get-credentials "circleci-google-cloud-sdk-cluster" --project="circleci-google-cloud-sdk" \
&& gcloud --quiet auth configure-docker
.PHONY: zones
zones:
@echo -e "\033[92m ---> testing authentication \033[0m"
@docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
-e GCLOUD_SERVICE_KEY='$(GCLOUD_SERVICE_KEY)' \
google/cloud-sdk:latest \
/bin/bash -c ' \
$(COMMAND_GCLOUD_AUTHENTICATE) \
&& gcloud compute zones list \
'
.PHONY: pods
pods:
@echo -e "\033[92m ---> testing authentication \033[0m"
@docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
-e GCLOUD_SERVICE_KEY='$(GCLOUD_SERVICE_KEY)' \
google/cloud-sdk:latest \
/bin/bash -c ' \
$(COMMAND_GCLOUD_AUTHENTICATE) \
&& kubectl get pods \
'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# .circleci/config.yml
version: 2
jobs:
build:
machine:
enabled: true
docker_layer_caching: true
resource_class: xlarge
working_directory: ~/circleci-google-cloud-sdk
steps:
- checkout:
path: ~/circleci-google-cloud-sdk
- run:
name: pushing images
environment:
# output of this command:
# $ cat key-file.json | awk '{print}' ORS=' '
GCLOUD_SERVICE_KEY: GCLOUD_SERVICE_KEY
command: |
set -ueo pipefail
make zones
make pods
workflows:
version: 2
test-deploy:
jobs:
- build:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26