Add Google Cloud Platform Cloud Provider
- Before You Begin
- Review: Connecting to Kubernetes Clusters
- Step 1: Add the Cloud Provider
- Option 1: Inherit from Delegate
- Option 2: Select Encrypted Key
- Review: GCP Permissions Required for Kubernetes
- Review: Google GCS and GCR Requirements
- Review: Google Cloud Operations Suite (Stackdriver) Requirements
- Review: Proxies and GCP with Harness
- Artifact Support for Download and Copy
You use a Harness Google Cloud Platform Cloud Provider to connect your Harness account to the Google Cloud Platform account where you will deploy your services.
You add Cloud Providers to your Harness Account and then reference them when defining deployment resources and environments.
In this topic:
- Before You Begin
- Review: Connecting to Kubernetes Clusters
- Step 1: Add the Cloud Provider
- Option 1: Inherit from Delegate
- Option 2: Select Encrypted Key
- Review: GCP Permissions Required for Kubernetes
- Review: Google GCS and GCR Requirements
- Review: Google Cloud Operations Suite (Stackdriver) Requirements
- Review: Proxies and GCP with Harness
- Artifact Support for Download and Copy
Before You Begin
Review: Connecting to Kubernetes Clusters
Harness includes a platform-agnostic Kubernetes Cluster Cloud Provider for connections to a Kubernetes cluster. This is the preferred method for connecting Harness to a target Kubernetes cluster.
See Add Kubernetes Cluster Cloud Provider.
Limitations
Harness supports GKE 1.19 and later.
Step 1: Add the Cloud Provider
To add a cloud provider to your Harness account, do the following:
- Click Setup, and then click Cloud Providers.
- Click Add Cloud Provider and select Google Cloud Platform.
The Add Google Cloud Platform Cloud Provider panel appears.
Option 1: Inherit from Delegate
Select this option to have the Cloud Provider inherit the default credentials used by the Harness Delegate running in GCP.
For example, if you installed the Harness Kubernetes Delegate in a Kubernetes cluster (GKE) that has GCP Workload Identity enabled, the Cloud Provider provider will inherit these credentials if it uses that Delegate.
To use Inherit from Delegate, do the following:
- Ensure a Harness Delegate is installed in your GCP project.
- Ensure the Harness Delegate host has the required credentials. See the different permissions required below.
- Add Delegate Selector(s) to the Harness Delegate. There are implicit Selectors that you can use, but it is best to add a custom selector. See Select Delegates for Specific Tasks with Selectors.
- In your Google Cloud Platform Cloud Provider, select Inherit from Delegate.
- In Delegate Selectors, select the Selector(s) attached to the Delegate(s) running in your GCP account.
- Click Test. You will see Test was successful unless there is a connectivity error, or the Delegate is disconnected. If it is disconnected, simply restart it.
If you want to set up certain credentials on the Delegate using Harness, you can run the commands in a Delegate Profile and attach that profile to the Delegate. See Run Scripts on Delegates using Profiles.
You can even add a Selector to the Profile, and then use that Selector in the Google Cloud Platform Cloud Provider. This ensure that any Google Cloud Platform Cloud Provider using that Selector is also using a Delegate with that Profile.
Option 2: Select Encrypted Key
- In Select Encrypted Key, select or create a new Harness Encrypted Text secret that contains the Google Cloud's Account Service Key File.
- To obtain the Google Cloud's Account Service Key File, see Creating and managing service account keys from Google (JSON is recommended).
- Once you have the key file from Google, open it, copy it, and paste it into the Harness Encrypted Text secret.
- Next, use that Harness Encrypted Text secret in Select Encrypted Key.
- To obtain the Google Cloud's Account Service Key File, see Creating and managing service account keys from Google (JSON is recommended).
- Click Submit. The GCP cloud provider is added.
Review: GCP Permissions Required for Kubernetes
The GCP service account used for any credentials requires Kubernetes Engine Developer are Storage Object Viewer permissions.
- For steps to add roles to your service account, see Granting Roles to Service Accounts from Google. For more information, see Understanding Roles from GCP.
Harness supports GKE 1.19 and later. If you use a version prior to GKE 1.19, please enable Basic Authentication. If Basic authentication is inadequate for your security requirements, use the Kubernetes Cluster Connector.
Review: Google GCS and GCR Requirements
For Google Cloud Storage (GCS) and Google Container Registry (GCR), the following roles are required:
- Storage Object Viewer (roles/storage.objectViewer)
- Storage Object Admin (roles/storage.objectAdmin)
See Cloud IAM roles for Cloud Storage from GCP.
Artifact Support
See Service Types and Artifact Sources.
Review: Google Cloud Operations Suite (Stackdriver) Requirements
Most APM and logging tools are added to Harness as Verification Providers. For Google Cloud's operations suite (formerly Stackdriver), you use the Google Cloud Platform Cloud Provider.
Roles and Permissions
- Stackdriver Logs - The minimum role requirement is logging.viewer
- Stackdriver Metrics - The minimum role requirements are compute.networkViewer and monitoring.viewer.
See Access control from Google.
Review: Proxies and GCP with Harness
If you are using a proxy server in your GCP account, but want to use GCP services with Harness, you need to set the following to not use your proxy:
googleapis.com
. See Proxy servers from Google.- The
token_uri
value from your Google Service Account. See Creating service account keys from Google.