I have been playing with the GCP Inventory plugin and can now succesfully view/list my GCE VM instances with my dynamic inventory file.
It looks like this:
plugin: gcp_compute
projects:
- my-project
filters:
( name = “project-instance-1” ) OR
( name = “project-instance-2” ) OR
( name = “project-instance-3” ) OR
( name = “project-instance-4” )
auth_kind: serviceaccount
service_account_file: key.json
This is working just fine. When I run ansible-inventory, it shows the 4 instances that I filtered on.
My problem however is that when I try to run tasks on this inventory, it is giving me SSH connection errors. So it does not seem to use the given service account to actually connect to them.
Any tasks that I want to run fails on all the instances with this error:
fatal: []: UNREACHABLE! => {
“changed”: false,
“msg”: “Failed to connect to the host via ssh: root@: Permission denied (publickey).”,
“unreachable”: true
}
So apparently the inventory discovery is done through the service account just fine. But when I try to run tasks, it no longer seems to want to use that SA, but directly SSH as root user instead.
How can I make it so that the SA and it’s private key are used to set up the connection to the machine? So similar to:
gcloud config set account <sa_email>
gcloud compute ssh
I don’t see any GCP Connection Plugin listed, so I am not sure if something like this is even possible or if the GCP Inventory plugin only works with the gcp_* tasks?