Authorizing the Google Cloud SDK

This document explains how to install and authorize the Google Cloud SDK in your primary container.

• Installing the Google Cloud SDK
• Creating and Storing a Service Account
  • Adding Granular Permissions
• Authenticating to Google Container Registry
• Authorizing the Google Cloud SDK

Overview

The Google Cloud SDK is a powerful set of tools that can be used to access Google Cloud Platform (GCP) services like Google Compute Engine and Google Kubernetes Engine. On CircleCI, the Google Cloud SDK is recommended to deploy your application to GCP products.

Prerequisites

• A CircleCI 2.0 project.
• A GCP project.

Installing the Google Cloud SDK

If Debian is an acceptable operating system for your primary container, consider using Google’s base Docker image. You can find this image on DockerHub as google/cloud-sdk.

Otherwise, follow the Google Cloud SDK installation instructions for your base image’s operating system.

Creating and Storing a Service Account

Before you can use any tools in the Google Cloud SDK, you must authorize gcloud. Google offers two types of authorization: user accounts and service accounts. Because you are installing the Cloud SDK on CircleCI, the service account is the appropriate choice.

1. Create a service account by following Steps 1-3 of Google’s instructions. Remember to download the JSON-formatted key file.

2. Add the key file to CircleCI as a project environment variable. In this example, the variable is named GCLOUD_SERVICE_KEY. Using this particular name is not required, but it will be used throughout the examples in this document.

3. For convenience, add two more environment variables to your CircleCI project:

   • GOOGLE_PROJECT_ID: the ID of your GCP project.
   • GOOGLE_COMPUTE_ZONE: the default compute zone.

Adding Granular Permissions

If you are having issues pushing container images to GCR you may need more granular permissions than the default service account provides. You can grant permission changes in the Cloud Storage IAM Console.

Refer to the Cloud Storage permission documentation to learn more about Identity and Access Management (IAM) permissions.

Authenticating to Google Container Registry

Depending on the base Docker image you chose, you may have to authenticate to the Google Container Registry.

If you are using Google’s public image (google/cloud-sdk), no authentication is needed.

version: 2
jobs:
  deploy:
    docker:
      - image: google/cloud-sdk

If you are using a custom image, you must authenticate to GCR. Use the auth key to specify credentials.

version: 2
jobs:
  deploy:
    docker:
      - image: gcr.io/project/<image-name>
        auth:
          username: _json_key  # default username when using a JSON key file to authenticate
          password: $GCLOUD_SERVICE_KEY  # JSON service account you created, do not encode to base64

Authorizing the Google Cloud SDK

Use gcloud to authorize the Google Cloud SDK and set several default settings.

version: 2
jobs:
  deploy:
    docker:
      - image: google/cloud-sdk
    steps:
      - run: |
          echo $GCLOUD_SERVICE_KEY | gcloud auth activate-service-account --key-file=-
          gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
          gcloud --quiet config set compute/zone ${GOOGLE_COMPUTE_ZONE}

Note: If you are using a custom base image, ensure that you have the most recent components by adding the following command before authorizing the SDK.

sudo gcloud --quiet components update