Authenticating to GKE without gcloud

Ahmet Alp Balkan
Jul 9, 2019 · 2 min read

If you’re using Google Kubernetes Engine and deploying to it from headless environments like CI/CD, you’re probably installing the gcloud command-line tool (perhaps every time) you run a build. There's a way to authenticate to the GKE clusters without gcloud command-line tool!

The solution is to use static kubeconfig files that we craft ahead of time. To do this, you will still need:

  1. gcloud CLI (only on the development machine)
  2. Google credentials to authenticate you(a.k.a. Service Account key).

Craft the static kubeconfig file

Set your cluster name and region/zone in a variable in a bash terminal:

GET_CMD="gcloud container clusters describe [CLUSTER] --zone=[ZONE]"

Running the following command block in bash will create a kubeconfig.yaml file by retrieving:

cat > kubeconfig.yaml <<EOF
apiVersion: v1
kind: Config
current-context: my-cluster
contexts: [{name: my-cluster, context: {cluster: cluster-1, user: user-1}}]
users: [{name: user-1, user: {auth-provider: {name: gcp}}}]
- name: cluster-1
server: "https://$(eval "$GET_CMD --format='value(endpoint)'")"
certificate-authority-data: "$(eval "$GET_CMD --format='value(masterAuth.clusterCaCertificate)'")"

This kubeconfig.yaml file does not contain secrets such as your credentials. It only points kubectl to your cluster. You can actually safely check store this file in your git repository.

Note that you can actually rotate both this master IP address and CA certificate by triggering a manual rotation. If you do that, you need to re-generate this file. (This is the only downside to this approach.)

Create a service account for headless authentication

  1. You will need to create a service account to authenticate to GKE from headless environments.
  2. Give this service account the you need. (For example, “Kubernetes Engine Developer” role will let you deploy workloads to clusters.)
  3. Then, create a key file (.json) for the service account (this file is asecret, do not check it in to your repositories).

Using the kubeconfig file

Now, you can go to an environment without gcloud, take this kubeconfig file and combine it with your Service Account key file and authenticate to your GKE clusters from headless environments by setting these environment variables:

export GOOGLE_APPLICATION_CREDENTIALS=service-account-key.json
export KUBECONFIG =kubeconfig.yaml
kubectl get nodes # You are authenticated if this works!

Setting GOOGLE_APPLICATION_CREDENTIALS to kubectl works just fine because the gcp auth plugin in kubectl uses the standard Google Cloud Go client libraries which recognize this environment variable.

Hopefully, this nice trick can speed up your build environments by not having to maintain steps to install and configure the gcloud CLI.

This is not the only way to authenticate to GKE clusters without gcloud. You can also use Kubernetes service accounts to authenticate as well, perhaps we can explore this in another article.

Originally published at on July 9, 2019.

Google Cloud - Community

Google Cloud community articles and blogs

Ahmet Alp Balkan

Written by

Artisanal developer experience curator at @GoogleCloud

Google Cloud - Community

A collection of technical articles and blogs published or curated by Google Cloud Developer Advocates. The views expressed are those of the authors and don't necessarily reflect those of Google.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store