Use ansible to configure a Google Compute Instance created by ansible

Question

I'm using the gcp_compute_instance ansible module to create an instance, basically reproducing what's in this document. This works fine to create the instance but after the instance is created, I can't configure it with a different playbook because the instance doesn't recognize the service account as a valid ssh user. The error I get when I run the second playbook is

Failed to connect to the host via ssh: [email protected]: Permission denied (publickey).

I haven't found in any of the documents or tutorials on gce/ansible how to configure the ssh access to the newly created instance. All the documents kind of imply that it should just work with what you configured to actually create the instance, which is clearly not the case. What I tried was give the service account a role that has the permission compute.instances.osAdminLogin but there are still two pieces of information that I don't know.

1. What is the username to use to connect. My second playbook right now has remote_user set to the name of the service account but this is not working. How do I automatically configure this in ansible so that i can run both playbooks back to back without manual intervention?
2. How to associate the ssh key with the service account? using gcloud compute os-login ssh-keys add adds it to my personal account, not to the service account

Note that I can ssh into the instance using my personal account just fine, which uses the OS Login feature of GCE and my personal ssh key, but i want to run the second ansible playbook using a service account with its own ssh key, not my personal account so that I can share the whole process with other people or with a CI/CD service

Answer 1

the scripts in the document the op is following are broken. I have just spent about a day chasing this and the problem is that the instance ends up connected to the created network rather than the project default. It then doesn't matter about os_login or keys or firewall rules you just can't connect via either the cloud console or using SSH remotely. As a first step to remove this problem:

• remove the stanza that creates a network
• rewrite the ansible stanza that creates the instance:

- name: create a instance
    gcp_compute_instance:
      state: present
      name: "{{ system_name }}"
      machine_type: "{{ system_type }}"
      disks:
        - auto_delete: true
          boot: true
          source: "{{ disk }}"
      network_interfaces:
           - access_configs:
              - name: 'External NAT'
                nat_ip: "{{ address }}"
                type: 'ONE_TO_ONE_NAT'
      zone: "{{ zone }}"
      project: "{{ gcp_project }}"
      auth_kind: "{{ gcp_cred_kind }}"
      service_account_file: "{{ gcp_cred_file }}"
      scopes: 
         - "{{ gcp_scopes }}"
  register: instance

Of course once the vm is working and allowing ssh access. you can go back and assess whether the extra network is required and how to use it.

Answer 2

According to the document you are mentioning, you can use either Service account with the roles required to perform the operation or an account associated to the machine (GCE) which also is a service account.

You can achieve this by creating a service account. and generating a JSON key for this.