Automated Google Cloud Platform Authentication

The gcp-auth addon automatically and dynamically configures pods to use your credentials, allowing applications to access Google Cloud services as if they were running within Google Cloud.

The addon defaults to using your environment’s Application Default Credentials, which you can configure with gcloud auth application-default login. Alternatively, you can specify a JSON credentials file (e.g. service account key) by setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to the location of that file.

The addon also defaults to using your local gcloud project, which you can configure with gcloud config set project <project name>. You can override this by setting the GOOGLE_CLOUD_PROJECT environment variable to the name of the desired project.

Once the addon is enabled, pods in your cluster will be configured with environment variables (e.g. GOOGLE_APPLICATION_DEFAULTS, GOOGLE_CLOUD_PROJECT) that are automatically used by GCP client libraries. Additionally, the addon configures registry pull secrets, allowing your cluster to access the container images hosted in Artifact Registry and Google Container Registry.

Tutorial

  • Start a cluster:
  1. minikube start
  1. 😄  minikube v1.12.0 on Darwin 10.15.5
  2.   Automatically selected the docker driver. Other choices: hyperkit, virtualbox
  3. 👍  Starting control plane node minikube in cluster minikube
  4. 🔥  Creating docker container (CPUs=2, Memory=3892MB) ...
  5. 🐳  Preparing Kubernetes v1.18.3 on Docker 19.03.2 ...
  6. 🔎  Verifying Kubernetes components...
  7. 🌟  Enabled addons: default-storageclass, storage-provisioner
  8. 🏄  Done! kubectl is now configured to use "minikube"
  • Enable the gcp-auth addon:
  1. minikube addons enable gcp-auth
  1. 🔎  Verifying gcp-auth addon...
  2. 📌  Your GCP credentials will now be mounted into every pod created in the minikube cluster.
  3. 📌  If you don't want credential mounted into a specific pod, add a label with the `gcp-auth-skip-secret` key to your pod configuration.
  4. 🌟  The 'gcp-auth' addon is enabled
  • For credentials in an arbitrary path:
  1. export GOOGLE_APPLICATION_CREDENTIALS=<creds-path>.json
  2. minikube addons enable gcp-auth
  • Deploy your GCP app as normal:
  1. kubectl apply -f test.yaml
  1. deployment.apps/pytest created

Everything should work as expected. You can run kubectl describe on your pods to see the environment variables we inject.

As explained in the output above, if you have a pod you don’t want to inject with your credentials, all you need to do is add the gcp-auth-skip-secret label:

  1. apiVersion: apps/v1
  2. kind: Deployment
  3. metadata:
  4.   name: pytest
  5. spec:
  6.   selector:
  7.     matchLabels:
  8.       app: pytest
  9.   replicas: 2
  10.   template:
  11.     metadata:
  12.       labels:
  13.         app: pytest
  14.         gcp-auth-skip-secret: "true"
  15.     spec:
  16.       containers:
  17.       - name: py-test
  18.         imagePullPolicy: Never
  19.         image: local-pytest
  20.         ports:
  21.           - containerPort: 80

Refreshing existing pods

Pods that were deployed to your minikube cluster before the gcp-auth addon was enabled will not be configured with GCP credentials. To resolve this problem, run:

minikube addons enable gcp-auth --refresh

Adding new namespaces

minikube v1.29.0+

Newly created namespaces automatically have the image pull secret configured, no action is required.

minikube v1.28.0 and before

Namespaces that are added after enabling gcp-auth addon will not be configured with the image pull secret. To resolve this problem, run:

minikube addons enable gcp-auth --refresh

Last modified February 27, 2023: site: Update GCP-Auth docs regarding new namespaces (4aa348106)