Google Cloud Platform (GCP) Connector Settings Reference
Harness Google Cloud Platform (GCP) Connector connects your Harness account to the GCP account.
You add Connectors to your Harness Account and then reference them when defining resources and environments.
In this topic:
- Kubernetes Role Requirements
- GCS and GCR Role Requirements
- Google Cloud Operations Suite (Stackdriver) Requirements
- Proxies and GCP with Harness
- GCP Connector Settings
- See Also
If you use the GCP Connector for Harness Kubernetes deployments, the GKE version in the target cluster must be less than GKE 1.19.
Basic authentication is deprecated and has been removed in GKE 1.19 and later. Harness uses Basic authentication during deployments to Kubernetes that use a GCP Connector.
Kubernetes Role Requirements
If you are using the GCP Connector to connect to GKE, the GCP service account used for any credentials requires the Kubernetes Engine Admin (GKE Admin) role to get the Kubernetes master username and password. Harness also requires Storage Object Viewer permissions.
- Basic authentication required: When you attempt to connect to the Kubernetes cluster via GCP, the Kubernetes cluster must have Basic authentication enabled or the connection will fail. For more information, see Control plane security from GCP. From GCP:
You can handle cluster authentication in Google Kubernetes Engine by using Cloud IAM as the identity provider. However, legacy username-and-password-based authentication is enabled by default in Google Kubernetes Engine. For enhanced authentication security, you should ensure that you have disabled Basic Authentication by setting an empty username and password for the MasterAuth configuration. In the same configuration, you can also disable the client certificate which ensures that you have one less key to think about when locking down access to your cluster.
- If Basic authentication is inadequate for your security requirements, use the Kubernetes Cluster Connector.
- While Harness recommends that you use the Kubernetes Cluster Connector for Kubernetes cluster deployments, to use a Kubernetes cluster on Google GKE, Harness requires a combination of Basic Authentication and/or Client Certificate to be enabled on the cluster:This is required because some API classes, such as the MasterAuth class, require HTTP basic authentication or client certificates.
GCS and GCR Role Requirements
For Google Cloud Storage (GCS) and Google Container Registry (GCR), the following roles are required:
- Storage Object Viewer (roles/storage.objectViewer)
- Storage Object Admin (roles/storage.objectAdmin)
See Cloud IAM roles for Cloud Storage from GCP.
Google Cloud Operations Suite (Stackdriver) Requirements
Most APM and logging tools are added to Harness as Verification Providers. For Google Cloud's operations suite (formerly Stackdriver), you use the GCP Connector.
Roles and Permissions
- Stackdriver Logs - The minimum role requirement is logging.viewer
- Stackdriver Metrics - The minimum role requirements are compute.networkViewer and monitoring.viewer.
See Access control from Google.
Proxies and GCP with Harness
If you are using a proxy server in your GCP account, but want to use GCP services with Harness, you need to set the following to not use your proxy:
googleapis.com. See Proxy servers from Google.
token_urivalue from your Google Service Account. See Creating service account keys from Google.
GCP Connector Settings
The unique name for this Connector.
See Tags Reference.
Service Account Key
Select or create a new Harness Encrypted Text secret that contains the Google Cloud's Account Service Key File.
To obtain the Google Cloud's Account Service Key File, see Creating and managing service account keys from Google (JSON is recommended).
Once you have the key file from Google, open it, copy it, and paste it into the Harness Encrypted Text secret.
Next, use that Harness Encrypted Text secret in Service Account Key.