gcloud \ kubectl authentication problem: forget service account - google-cloud-platform

I'm using gcloud and kubectl to handle my resources (Kubernetes, VM and so on). Everything worked find until I read some article that created a new service account and activate it via cloud. Something like this:
gcloud auth activate-service-account --key-file=path/to/key
The created service account has limited permissions to few resources. When I run commands, like:
kubectl --namespace production get pods
I'm getting back response like:
Error from server (Forbidden): pods is forbidden: User
"SA-USER#PROGECTNAME.iam.gserviceaccount.com"
cannot list resource "pods" in API group "" in the namespace
"production": requires one of ["container.pods.list"] permission(s).
The SA SA-USER#PROGECTNAME.iam.gserviceaccount.com is the service account that I created yesterday. For some reason, it took control on my default permissions and I'm locked out because this user almost has no permissions.
I tried to make the gcloud forget this service account without success. Things I tried:
Uninstall & Install of gcloud and kubectl
Remove the config directory ("~/.config/gcloud/")
gcloud auth login
All those tried was failed. I still getting the same message as above.
How I can make gcloud and kubectl forget this service account?
Thanks!

UPDATE for the new auth plugin:
Some time ago, gke adopted the new auth plugin architecture for kubernetes.
In the new plugin gke-gcloud-auth-plugin, the authentication cache is at
macOS: ~/.kube/gke_gcloud_auth_plugin_cache
(Please edit this answer to include locations in others operation systems.)
You can just delete that file.
There is a problem with the expiration of the authentication token used by kubectl.
When you choose a new user via gcloud and make a kubectl request, an authentication token is cached locally.
A workaround is to edit your ~/.kube/config and set a date in the past for the expiry field on the relevant user section.

You can perform a gcloud auth application-default login
You can also see the current configuration of your gcloud CLI by doing gcloud config list. You can change some default parameter with gcloud config set param_name param_value. For example (because you will use often it if you have several projects)
gcloud config set project MyProjectId
With these, you will be able to solve your issue

Related

docker pull: Permission "artifactregistry.repositories.downloadArtifacts" denied on resource

How do I give a new service account this permission?
I have a VM with "Compute Engine default service account" and it works.
I changed the service account to one with just:
Artifact Registry Administrator
Artifact Registry Reader
and this results in the above error on docker pull.
Thanks
Check if you are correctly configured Docker to be able to pull and push images to Artifact registry : https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling
You also have to be sure you are using the expected Service Account in the place where you execute your command.
If you execute from you local machine and bash, check if you are connected on the expected Service Account with :
gcloud auth activate-service-account --key-file=your_key_file_path.json
export GOOGLE_APPLICATION_CREDENTIALS=your_key_file_path.json
The permissions you given to you Service Account seems to be corrects to execute the needed action.
This happens when you are trying to push/pull an image on a repository in which its specific hostname (associated with its repository location) is not yet added to the credential helper configuration for authentication.
For the gcloud credential helper or standalone credential helper, the Artifact Registry hosts you use must be in your Docker configuration file.
Artifact Registry does not automatically add all registry hosts to the Docker configuration file. Docker response time is significantly slower when there is a large number of configured registries. To minimize the number of registries in the configuration file, you add the hosts that you need to the file
You need to configure-docker while impersonating your service account ($SERVICE_ACCOUNT_EMAIL):
1. Run the following command to make sure you are still impersonating $SERVICE_ACCOUNT_EMAIL:
$ gcloud auth list
If the service account is not impersonated then run the following command:
$ gcloud auth activate-service-account \ "$SERVICE_ACCOUNT_EMAIL" \ --key-file=$SERVICE_ACCOUNT_JSON_FILE_PATH
2. Run the configure-docker command against the auth group:
$ gcloud auth configure-docker <location>-docker.pkg.dev
3. Finally, try pulling the Docker image again.
Refer Authenticating to a repository and stackpost for more information.

gcloud auth login does not update/identify my active account correctly for git usage

I have been trying to log with a new corporate account in order to push some code in gcp Cloud Repository. Despite all my attempts at logging in with the new user, somehow when I issue git push it still tells me
ERROR: Your current active account [old_email#domain.com] does not have any valid credentials
Please run:
$ gcloud auth login
to obtain new credentials.
For service account, please activate it first:
$ gcloud auth activate-service-account ACCOUNT
Run 'gcloud auth login' to log in.
Username for 'https://source.developers.google.com':
When I run gcloud auth list only the new corporate email <new_corporate_email>#domain.com is displayed.
Here are the steps I took
gcloud auth login
gcloud auth login --no-launch-browser
gcloud auth application-default login
gcloud config set account <new_corporate_email>#domain.com
git config --global user.email "<new_corporate_email>#domain.com"
Where is the current active account stored and how do I refresh its value? Could this be strictly a git issue?
I suspected it was a problem with git and its relationship with gcloud since I am using Google Cloud Source Repositories.
What I did was not solve this solution perse, but I offer you a workaround in case you get the same error. Here are the steps I applied to "fix" it:
I made sure I was logged with the right account on gcloud
I made sure that account had the right IAM rights within the GCP
project
I backed up my source repo (thankfully, only these few last changes
were missing from my remote repo)
I deleted the original local source code repo and recloned it using
gcloud
I took the changes from my backup folder via rsync
I tested a commit & push and it worked

getting get-credentials requires edit permission error on gcp

I'm trying to setup credentials for kubernetes on my local.
gcloud container clusters get-credentials ***** --zone **** --project elo-project-267109
This query works fine when I tried it from cloud shell, but I got this error when I tried run it from my terminal:
ERROR: (gcloud.container.clusters.get-credentials) get-credentials requires edit permission on elo-project-267109
I've tried this query from admin account as well as default service account also from new service account by assigning editor role and it still doesn't seem to work for me.
i am using macOs Mojave(10.14.6) and gcloud SDK version installed in my system is 274.0.1
i was able to resolve this issue on my local but i was actually trying to build a CI/CD from gitlab and the issue persists there, i have tried using gcloud(279.0.0) image version.
i am new to both gitlab and gcloud. i am trying to build CI/CD pipeline for the first time.
Do gcloud auth list to see which account are you logged into.
You need to login with the account which has the correct credentials to access the action that you're trying to perform.
To set the gcloud account: gcloud config set account <ACCOUNT>
It's turned out to be the image version mismatch issue on GitLab.

How to run gcloud command using given configuration of a service account

I have several gcloud service accounts and I'd like to add them to gcloud config configurations list. From what I could find on their doc, I could create different configurations using command gcloud config configurations create <config-name>. Then I did following to add a service account to my configuration list
gcloud config configurations activate <config-name>
gcloud config set account <service-account-email>
gcloud config configurations activate default
Seems like everything is fine. But when I try to deploy something it reports error
gcloud app deploy <some>.yaml --configurations <config-name>
ERROR: (gcloud.app.deploy) Your current active account [<service-account-email>] does not have any valid credentials
I have the credential file on hand but have no idea how to apply it. Any help would be appreciated.
You forgot to active your service account credentials:
gcloud auth activate-service-account username#development-123456.iam.gserviceaccount.com --key-file=service_account.json

Unable to connect to Google Container Engine

I've updated gcloud to the latest version (159.0.0)
I created a Google Container Engine node, and then followed the instructions in the prompt.
gcloud container clusters get-credentials prod --zone us-west1-b --project myproject
Fetching cluster endpoint and auth data.
kubeconfig entry generated for prod
kubectl proxy
Unable to connect to the server: error executing access token command
"/Users/me/Code/google-cloud-sdk/bin/gcloud ": exit status
Any idea why is it not able to connect?
You can try to run to see if the config was generated correctly:
kubectl config view
I had a similar issue when trying to run kubectl commands on a new Kubernetes cluster just created on Google Cloud Platform.
The solution for my case was to activate Google Application Default Credentials.
You can find a link below on how to activate it.
Basically, you need to set an environmental variable to the path of the .json with the credentials from GCP
GOOGLE_APPLICATION_CREDENTIALS -> c:\...\..\..Credentials.json exported from Google Cloud
https://developers.google.com/identity/protocols/application-default-credentials
I found this solution on a kuberenetes github issue: https://github.com/kubernetes/kubernetes/issues/30617
PS: make sure you have also set the environmental variables for:
%HOME% to %USERPROFILE%
%KUBECONFIG% to %USERPROFILE%
It looks like the default auth plugin for GKE might be buggy on windows. kubectl is trying to run gcloud to get a token to authenticate to your cluster. If you run kubectl config view you can see the command it tried to run, and run it yourself to see if/why it fails.
As Alexandru said, a workaround is to use Google Application Default Credentials. Actually, gcloud container has built in support for doing this, which you can toggle by setting a property:
gcloud config set container/use_application_default_credentials true
or set environment variable
%CLOUDSDK_CONTAINER_USE_APPLICATION_DEFAULT_CREDENTIALS% to true.
Using GKE, update the credentials from the "Kubernetes Engine/Cluster" management worked for me.
The cluster line provides "Connect" button that copy the credentials commands into console. And this refresh the used token. And then kubectl works again.
Why my token expired? well, i suppose GCP token are not eternal.
So, the button plays the same command automatically that :
gcloud container clusters get-credentials your-cluster ...
Bruno