Skip to main content

Google Cloud Platform (GCP) connector settings reference

Use a Harness Google Cloud Platform (GCP) connector to integrate GCP with Harness. Use GCP with Harness to obtain artifacts, communicate with GCP services, provision infrastructure, deploy microservices, and manage other workloads.

You can use the GCP connector to connect to Kubernetes clusters in GCP. You can also use the platform-agnostic Kubernetes Cluster connector.

Role requirements

Certain roles are required in your GCP account, depending on how you are using the GCP connector.

GKE/Kubernetes role requirements

If you use the GCP connector to connect to GKE, the GCP service account used for any credentials requires:

  • Kubernetes Engine Developer (roles/container.clusterAdmin)
  • Storage Object Viewer (roles/storage.objectViewer)

For instructions on adding roles to your service account, go to the Google documentation on Granting Roles to Service Accounts. For more information about GCP roles, go to the GCP documentation on Understanding Roles.

Alternately, you can use a service account that has only the Storage Object Viewer permission needed to query GCR, and then use either an in-cluster Kubernetes delegate or a direct Kubernetes Cluster Connector with the Kubernetes service account token for performing deployment.

warning

Harness supports GKE 1.19 and later. If you use a version prior to GKE 1.19, please enable Basic Authentication. If Basic authentication is inadequate for your security requirements, use the Kubernetes Cluster Connector.

GCS and GCR role requirements

For Google Cloud Storage (GCS) and Google Container Registry (GCR), the following roles are required:

  • Storage Object Viewer (roles/storage.objectViewer)
  • Storage Object Admin (roles/storage.objectAdmin)

For more information, go to the GCP Artifact registry roles reference.

Ensure the Harness Delegate you have installed can reach storage.cloud.google.com and your GCR registry host, for example gcr.io. Registry host name is declared in your step settings. For example, you can declare it in the Host field in the Build and Push to GCR step settings.

GAR role requirements

For Google Artifact Registry, the following roles are required:

  • Artifact Registry Reader
  • Artifact Registry Writer

For more information, go the GCP documentation about Configuring Roles for Artifact Registry

Google Cloud Operations Suite (Stackdriver) requirements

Most APM and logging tools are added to Harness as Verification Providers. For Google Cloud's operations suite (formerly Stackdriver), use the GCP connector.

The following roles and permissions are required:

  • Stackdriver Logs: The minimum role requirement is Logs Viewer (logging.viewer)
  • Stackdriver Metrics: The minimum role requirements are Compute Network Viewer (compute.networkViewer) and Monitoring Viewer (monitoring.viewer).

For more information, go to the Google documentation on Access control.

Proxies and GCP with Harness

If you are using a proxy server in your GCP account, and you want to use GCP services with Harness, make sure the following items don't use your proxy:

  • googleapis.com: For details, go to the Google documentation on Proxy servers.
  • The token_uri value from your Google Service Account: For details, go to the Google documentation on Creating service account keys.

GCP connector settings

The GCP connector has the following settings.

Overview settings

  • Name: The unique name for the connector.
  • Id: Harness automatically creates an Id (Entity Identifier) based on the Name. You can change the Id during initial connector creation. Once saved, the Id can't be changed.
  • Description: Optional.
  • Tags: For information about tags, go to the Tags reference.

Details settings

Provide credentials that enable Harness to connect to your GCP account.

Specify credentials here

Select this option to use a GCP service account key.

You can store a GCP service account keys as Harness Encrypted File Secrets.

To obtain the Google Cloud's service account key file, go to the Google documentation on Creating and managing service account keys. JSON format is required.

Use the credentials of a specific Harness Delegate

Select this option to allow the connector to inherit its authentication credentials from the Harness Delegate that is running in GCP.

Learn more about credential inheritance
  • IAM role inheritance: The connector inherits the GCP IAM role assigned to the delegate in GCP, such a Harness Kubernetes delegate running in Google Kubernetes Engine (GKE). Make sure the delegate has the IAM roles that your connector needs.
  • GCP workload identity: If you installed the Harness Kubernetes delegate in a Kubernetes cluster in GKE that has GCP Workload Identity enabled and uses the same service account and node pool annotation, then the Google Cloud Platform (GCP) connector inherits these credentials if it uses that delegate.
  • Role and policy changes: If you find that the IAM role associated with your GCP connector don't have the policies required by the GCP service you want to access, you can modify or change the role assigned to the Harness Delegate that your GCP connector is using. You may need to wait up to five minutes for the change to take effect.
  • See also:

OIDC

Select this option if you want to use OIDC.

Select Connectivity Mode

Select how you want Harness to communicate with GCP. The available options depend on what you chose for Details.

Connect through Harness Platform

With this option, Harness communicates with GCP through a direct, secure communication between Harness and GCP. This connectivity mode is required for Harness Cloud build infrastructure.

Connect through a Harness Delegate

With this option, Harness communicates with GCP indirectly through a Harness Delegate that is running in GCP. You must choose this option if you chose to inherit delegate credentials. If connecting through a Harness Delegate, select either:

  • Use any available Delegate: Harness selects an available delegate at runtime. To learn how Harness selects delegates, go to Delegate overview.
  • Only use Delegates with all of the following tags: Use Tags to match one or more suitable delegates. To learn more about Delegate tags, go to Use delegate selectors. You can select Install new Delegate to add a delegate without exiting connector configuration. For guidance on installing delegates, go to Delegate installation overview.

Use OpenID Connect (OIDC)

Select the Connect through Harness Platform for OIDC option to allow Harness to communicate directly with GCP through OIDC. This option uses OIDC authentication to access public cloud resources without secrets or credentials.

note

Currently, the OIDC connectivity mode is compatible with Harness Cloud build infrastructure only, and it is behind a feature flag. Contact Harness Support to enable the feature.

warning

Currently, the OIDC connectivity mode is not compatible with Google Cloud Functions. You can't deploy Google Cloud Functions with OIDC-enabled GCP connectors.

If accessing Google cloud resources, use workload identity federation to grant short term access to the Harness GCP connector. For instructions, go to Configure OIDC with GCP WIF for Harness Cloud builds.

Troubleshoot GCP connector errors

Go to Troubleshoot GCP connector errors.