5

I am using Bitbucket pipelines to run deploy script on preemptable machines on compute engine. I use google sdk and service account with Owner role, but still can't ssh to the machine. that is how my bitbucket-pipelines.yml looks like:

- echo $GCLOUD_API_KEYFILE | base64 --decode --ignore-garbage > ./gcloud-api-key.json
- gcloud auth activate-service-account --key-file gcloud-api-key.json
- gcloud config set project $GCLOUD_PROJECT
- gcloud compute --project $GCLOUD_PROJECT ssh --zone "us-east1-c" $INSTANCE_NAME --command "./deploy"

I can see that I am able to successfully authenticate:

Activated service account credentials for: [...]

but I am still failing on ssh to instance

    gcloud compute --project "..." ssh --zone "us-east1-c" "..." --command "..."
WARNING: The public SSH key file for gcloud does not exist.
WARNING: The private SSH key file for gcloud does not exist.
WARNING: You do not have an SSH key for gcloud.
WARNING: SSH keygen will be executed to generate a key.
Generating public/private rsa key pair.
Your identification has been saved in /root/.ssh/google_compute_engine.
Your public key has been saved in /root/.ssh/google_compute_engine.pub.
The key fingerprint is: ...
...
Updating project ssh metadata...
................Updated [https://www.googleapis.com/compute/v1/projects/...].
done.
Waiting for SSH key to propagate.
Warning: Permanently added '...' (RSA) to the list of known hosts.
Permission denied (publickey).

Am I missing something? My understanding was once I authenticate as service account with permissions perform ssh, gcloud ssh command suppose to work

yabloki
  • 311
  • 2
  • 13
  • This is a basic SSH issue, similar to: https://stackoverflow.com/questions/27535945/how-to-get-the-ssh-keys-for-a-new-google-compute-engine-instance?answertab=votes#tab-top – Asif Tanwir Sep 21 '18 at 17:36
  • 1
    Did you find the answer for this? I'm facing the same problem. – Caio Vertematti Aug 13 '19 at 15:03
  • I think I did, but I don't remember how. I'll update the answer if I recall the details – yabloki Aug 21 '19 at 16:57
  • My initial issue was that the service account needs roles/compute.osLogin as well as roles/iam.serviceAccountUser on the VM service account. I think I'm stuck granting permission for a bitbucket deployer service account to act as the VM service account. – Mark May 25 '22 at 01:45

1 Answers1

0
  • This is a basic SSH issue,
  • Please check this thread [1].

[1] How to get the ssh keys for a new Google Compute Engine instance?

Asif Tanwir
  • 119
  • 6
  • 1
    Hey, thanks for the help. I read the thread but could not understand what am i doing wrong. As you stated in the thread: "If you don't already have SSH keys, it will prompt you to create them and then connect to the instance." AFAIU that is what happening when i see those log lines WARNING: You do not have an SSH key for gcloud. WARNING: SSH keygen will be executed to generate a key. Waiting for SSH key to propagate I still can't connect afterwards – yabloki Oct 01 '18 at 09:48