How to use gke-gcloud-auth-plugin with a gcloud service account key file?

Question

In CI, with gcp auth plugin I was using gcloud auth activate-service-account ***@developer.gserviceaccount.com --key-file ***.json prior to execute kubectl commands. Now with gke-gcloud-auth-plugin I can't find any equivalent to use a gcp service account key file. I've installed gke-gcloud-auth-plugin and gke-gcloud-auth-plugin --version is giving me Kube.netes v1.25.2-alpha+ae91c1fc0c443c464a4c878ffa2a4544483c6d1f Would you know if there's a way?

I tried to add this command: kubectl config set-credentials my-user --auth-provider=gcp But I still get:

error: The gcp auth plugin has been removed. Please use the "gke-gcloud-auth-plugin" kubectl/client-go credential plugin instead.

Answer 1

You will need to set the env variable to use the new plugin before doing the get-credentials :

export USE_GKE_GCLOUD_AUTH_PLUGIN=True
gcloud container clusters get-credentials $CLUSTER \
  --region $REGION \
  --project $PROJECT \
  --internal-ip

I would not have expected the env variable to still be required (now that the gcp auth plugin is completely deprecated) - but it seems it still is.

Your kubeconfig will end up looking like this if the new auth provider is in use.

...
- name: $NAME
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: gke-gcloud-auth-plugin
      installHint: Install gke-gcloud-auth-plugin for use with kubectl by following
        https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke
      provideClusterInfo: true