CircleCI: Authorizing the Google Cloud SDK

# Prerequisites

key-file.json:

{
  "type": "service_account",
  "project_id": "project_id",
  "private_key_id": "private_key_id",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDY9QjNh89vZrS8\nKS1dNMqPRkVbefY9N5cMvw==\n-----END PRIVATE KEY-----\n",
  "client_email": "client_email",
  "client_id": "client_id",
  "auth_uri": "auth_uri",
  "token_uri": "token_uri",
  "auth_provider_x509_cert_url": "auth_provider_x509_cert_url",
  "client_x509_cert_url": "client_x509_cert_url"
}
1
2
3
4
5
6
7
8
9
10
11
12
  • If you're planning on deploying in your CircleCI job, you should convert this to a single line using:
cat key-file.json | awk '{print}' ORS=' ' | pbcopy
1

or if that does not work:

cat key-file.json | awk '{print}' ORS='\\n' | pbcopy
1

Then add an environmental variable called GCLOUD_SERVICE_KEY with the value of the previous command (a CTRL+V is enough as pbcopy puts it into the clipboard).

# Makefile

This Makefile uses the Google Cloud SDK Docker container and configures authentication using the key-file.json which you downloaded. Note:

  • You could have mounted a volume with the file key-file.json but I've chosen not to.
  • We've abstracted the authentication aspect into a variable, COMMAND_GCLOUD_AUTHENTICATE that is used by zones and pods.
  • We authorise Docker so pushing to Google Container Registry works, e.g, docker push gcr.io/www-bana-io/www-bana-io:latest. This is also why we mount the Docker socket, -v /var/run/docker.sock:/var/run/docker.sock.
  • The flag --quiet runs gcloud in non-interactive mode. You want this when running in CI.
COMMAND_GCLOUD_AUTHENTICATE:=set -x \
	&& echo $${GCLOUD_SERVICE_KEY} > /tmp/gcloud-service-key.json \
	&& gcloud auth activate-service-account --key-file=/tmp/gcloud-service-key.json \
	&& gcloud --quiet config set project "circleci-google-cloud-sdk" \
	&& gcloud --quiet config set compute/zone "europe-west2-a" \
	&& gcloud --quiet container clusters get-credentials "circleci-google-cloud-sdk-cluster" --project="circleci-google-cloud-sdk" \
	&& gcloud --quiet auth configure-docker

.PHONY: zones
zones:
	@echo -e "\033[92m  ---> testing authentication \033[0m"
	@docker run --rm -it \
		-v /var/run/docker.sock:/var/run/docker.sock \
		-e GCLOUD_SERVICE_KEY='$(GCLOUD_SERVICE_KEY)' \
		google/cloud-sdk:latest \
		/bin/bash -c ' \
      $(COMMAND_GCLOUD_AUTHENTICATE) \
      && gcloud compute zones list \
    '

.PHONY: pods
pods:
	@echo -e "\033[92m  ---> testing authentication \033[0m"
	@docker run --rm -it \
		-v /var/run/docker.sock:/var/run/docker.sock \
		-e GCLOUD_SERVICE_KEY='$(GCLOUD_SERVICE_KEY)' \
		google/cloud-sdk:latest \
		/bin/bash -c ' \
      $(COMMAND_GCLOUD_AUTHENTICATE) \
      && kubectl get pods \
    '
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

# .circleci/config.yml

version: 2
jobs:
  build:
    machine:
      enabled: true
      docker_layer_caching: true
    resource_class: xlarge
    working_directory: ~/circleci-google-cloud-sdk
    steps:
      - checkout:
          path: ~/circleci-google-cloud-sdk
      - run:
          name: pushing images
          environment:
            # output of this command:
            # $ cat key-file.json | awk '{print}' ORS=' '
            GCLOUD_SERVICE_KEY: GCLOUD_SERVICE_KEY
          command: |
            set -ueo pipefail
            make zones
            make pods
workflows:
  version: 2
  test-deploy:
    jobs:
      - build:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

# Guides

Last Updated: 9/30/2022, 6:21:49 PM