Greetings All,
I'm hoping the community can help with the issue I'm experiencing. I'm
attempting to setup a dynamic inventory using this doc:
http://docs.ansible.com/ansible/guide_gce.html
So far I'm not having any success as it seems that each error leads to
another down the rabbit hole I go....
Error:
~/ansible/inventory$ ./gce.py --list
Traceback (most recent call last):
File "./gce.py", line 484, in <module>
GceInventory()
File "./gce.py", line 161, in __init__
self.driver = self.get_gce_driver()
File "./gce.py", line 304, in get_gce_driver
gce = get_driver(Provider.GCE)(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/libcloud/compute/drivers/gce.py",
line 1058, in __init__
self.zone_list = self.ex_list_zones()
File "/usr/lib/python2.7/dist-packages/libcloud/compute/drivers/gce.py",
line 1790, in ex_list_zones
response = self.connection.request(request, method='GET').object
File "/usr/lib/python2.7/dist-packages/libcloud/compute/drivers/gce.py",
line 120, in request
response = super(GCEConnection, self).request(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/libcloud/common/google.py", line
718, in request
*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/libcloud/common/base.py", line
797, in request
response = responseCls(**kwargs)
File "/usr/lib/python2.7/dist-packages/libcloud/common/base.py", line
145, in __init__
self.object = self.parse_body()
File "/usr/lib/python2.7/dist-packages/libcloud/common/google.py", line
287, in parse_body
raise GoogleBaseError(message, self.status, code)
libcloud.common.google.GoogleBaseError: {'domain': 'global', 'message':
'Insufficient Permission', 'reason': 'insufficientPermissions'}
I don't understand why there is insufficient permissions. I've created a
service account which I initialized in the instance and I can successful
use the gcloud cli.
Example:
~/ansible/inventory$ gcloud auth list
Credentialed Accounts:
- [email protected]
- b*******@REDACTED.iam.gserviceaccount.com ACTIVE
To set the active account, run:
$ gcloud config set account `ACCOUNT`
~/ansible/inventory$ gcloud compute instances list
NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP
STATUS
jump us-east1-b f1-micro 10.142.0.2 REDACTED
RUNNING
inst1 us-east1-b f1-micro 10.142.0.3
RUNNING
inst2 us-east1-b f1-micro 10.142.0.4
RUNNING
inst3 us-east1-b f1-micro 10.142.0.5
RUNNING
~/ansible/inventory$ cat secrets.py
GCE_PARAMS = ('', '')
GCE_KEYWORD_PARAMS = {'project': 'REDACTED', 'datacenter': 'us-east1-b'}
The docs says you can leave the GCE_PARAMS blank if you are doing this from
an instance within the project. I've tried both ways and I can't get past
this permissions issue. I've made the service account owner and it hasn't
helped.
~/ansible/inventory$ cat gce.ini
[gce]
libcloud_secrets = /home/REDACTED/ansible/inventory/secrets.py
# If you are not going to use a 'secrets.py' file, you can set the necessary
# authorization parameters here.
#gce_service_account_email_address =
b*******@REDACTED.iam.gserviceaccount.com
#gce_service_account_pem_file_path =
/home/REDACTED/S********************a.json
#gce_project_id = "REDACTED"
#gce_zone =
https://www.googleapis.com/compute/v1/projects/REDACTED/zones/us-east1-b
Note: The above parameters are commented out because I am using
secrets.py. I've tried with just these values alone and commenting out the
"libcloud_secrets" but that didn't help.
~/ansible/inventory$ echo $GCE_INI_PATH
/home/REDACTED/ansible/inventory/gce.ini <---tried both with only the
path and also the filename and same result
Is there are definitive guide posted by Google on the exact steps to make
this work? A dynamic inventory isn't mission critical but it would
certainly make life easier down the road when I start automating instance
deployment. It seems like this is taking too much effort to get right and
there has to be a simple way to make this work. Between this ansible doc
and the commented info in the gce.ini there is conflicting info.
For craps and giggles I used this openssl command to convert a newly
created key for the same service account to *.pem. I then entered this
info into the secrets.py and attempted to run the ./gce.py --list again and
it still failed. Same error. Sigh....
openssl pkcs12 -in pkey.pkcs12 -passin pass:notasecret -nodes -nocerts |
openssl rsa -out pkey.pem
~/ansible/inventory$ cat secrets.py
GCE_PARAMS = ('b*******@REDACTED.iam.gserviceaccount.com',
'/home/REDACTED/servkey.pem')
GCE_KEYWORD_PARAMS = {'project': 'REDACTED', 'datacenter': 'us-east1-b'}
@Eric Johnson: Are you out there? :) Help! This should be much simpler.
I'll draft a how to doc and send it to you for peer review if you help me
get past this hump. If it is good enough, maybe it can be posted online so
other don't fight with this. Maybe no one really cares enough and that is
why I don't see enough answers to this problem. Is there any debugging
option I can turn on to get more info on these errors?
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/a331a0a9-9806-454e-a69a-d6ad3240afb2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
