Add Google Cloud Platform Cloud Provider

Updated 2 months ago by Chakravarthy Tenneti

Connect the Google Cloud Platform cloud provider where you will deploy your services using Harness.

You add cloud providers to your Harness Account and then reference them when defining deployment environments.

In this topic:

Before You Begin

Visual Summary

Here's an overview of the settings to add Google Cloud Platform as Cloud Provider in Harness.

Step 1: Add the Cloud Provider

To add a cloud provider to your Harness account, do the following:

  1. Click Setup, and then click Cloud Providers.
  2. Click Add Cloud Provider and select Google Cloud Platform.

The Add Google Cloud Platform Cloud Provider panel appears.

Step 2: Select Encrypted Key

  1. In Select Encrypted Key, select or create a new Harness Encrypted Text secret that contains the Google Cloud's Account Service Key File.
    1. To obtain the Google Cloud's Account Service Key File, see Creating and managing service account keys from Google (JSON is recommended).
    2. Once you have the key file from Google, open it, copy it, and paste it into the Harness Encrypted Text secret.
    3. Next, use that Harness Encrypted Text secret in Select Encrypted Key.
  2. Click Submit. The GCP cloud provider is added.

Review: GCP Permissions Required

  • The GCP service account requires Kubernetes Engine Admin (GKE Admin) role to get the Kubernetes master username and password. Harness also requires Storage Object Viewer permissions.
  • When you attempt to connect to the Kubernetes cluster via GCP, the Kubernetes cluster must have Basic authentication enabled or the connection will fail. For more information, see Control plane security from GCP. From GCP:
You can handle cluster authentication in Google Kubernetes Engine by using Cloud IAM as the identity provider. However, legacy username-and-password-based authentication is enabled by default in Google Kubernetes Engine. For enhanced authentication security, you should ensure that you have disabled Basic Authentication by setting an empty username and password for the MasterAuth configuration. In the same configuration, you can also disable the client certificate which ensures that you have one less key to think about when locking down access to your cluster.
  • If Basic authentication is inadequate for your security requirements, use the Kubernetes Cluster Cloud Provider.
  • While Harness recommends that you use the Kubernetes Cluster Cloud Provider for Kubernetes cluster deployments, to use a Kubernetes cluster on Google GKE, Harness requires a combination of Basic Authentication and/or Client Certificate to be enabled on the cluster:
    This is required because some API classes, such as the MasterAuth class, require HTTP basic authentication or client certificates.

For steps to add roles to your service account, see Granting Roles to Service Accounts from Google. For more information, see Understanding Roles from GCP.

Another option is to use a service account that has only the Storage Object Viewer permission needed to query GCR, and then use either an in-cluster Kubernetes Delegate or a direct Kubernetes Cluster Cloud Provider with the Kubernetes service account token for performing deployment.

Review: Google GCS and GCR Requirements

For Google Cloud Storage (GCS) and Google Container Registry (GCR), the following roles are required:

  • Storage Object Viewer (roles/storage.objectViewer)
  • Storage Object Admin (roles/storage.objectAdmin)

See Cloud IAM roles for Cloud Storage from GCP.

Review: Stackdriver Requirements

Most APM and logging tools are added to Harness as Verification Providers. For Stackdriver, you use the Google Cloud Platform Cloud Provider.

Roles and Permissions
  • Stackdriver Logs - The minimum role requirement is logging.viewer
  • Stackdriver Metrics - The minimum role requirements are compute.networkViewer and monitoring.viewer.

See Access control from Google.

How did we do?