>From the gce.ini: # The GCE inventory script has the following dependencies: # 1. A valid Google Cloud Platform account with Google Compute Engine # enabled. See https://cloud.google.com # 2. An OAuth2 Service Account flow should be enabled. This will generate # a private key file that the inventory script will use for API request # authorization. See https://developers.google.com/accounts/docs/OAuth2 # 3. Convert the private key from PKCS12 to PEM format # $ openssl pkcs12 -in pkey.pkcs12 -passin pass:notasecret \ # > -nodes -nocerts | openssl rsa -out pkey.pem # 4. The libcloud (>=0.13.3) python libray. See http://libcloud.apache.org # # (See ansible/test/gce_tests.py comments for full install instructions)
So a better question to ask is..... Where is the "ansible/test/gce_tests.py" file? I've searched but this referenced file is not found. I'm going to start from the beginning referencing the steps in the file that is supposed to have the full install instructions. <https://lh3.googleusercontent.com/-th3AssO3urs/WPoSpUeyHQI/AAAAAAAAAAw/_8CIjVLde8Egw88vtIU5SmGT5xhj654XwCLcB/s1600/gce_tests_not_found.PNG> On Thursday, April 20, 2017 at 9:12:31 PM UTC-4, Ned Studious wrote: > > Greetings All, > > I'm hoping the community can help with the issue I'm experiencing. I'm > attempting to setup a dynamic inventory using this doc: > http://docs.ansible.com/ansible/guide_gce.html > > So far I'm not having any success as it seems that each error leads to > another down the rabbit hole I go.... > > Error: > ~/ansible/inventory$ ./gce.py --list > Traceback (most recent call last): > File "./gce.py", line 484, in <module> > GceInventory() > File "./gce.py", line 161, in __init__ > self.driver = self.get_gce_driver() > File "./gce.py", line 304, in get_gce_driver > gce = get_driver(Provider.GCE)(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/libcloud/compute/drivers/gce.py", > line 1058, in __init__ > self.zone_list = self.ex_list_zones() > File "/usr/lib/python2.7/dist-packages/libcloud/compute/drivers/gce.py", > line 1790, in ex_list_zones > response = self.connection.request(request, method='GET').object > File "/usr/lib/python2.7/dist-packages/libcloud/compute/drivers/gce.py", > line 120, in request > response = super(GCEConnection, self).request(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/libcloud/common/google.py", line > 718, in request > *args, **kwargs) > File "/usr/lib/python2.7/dist-packages/libcloud/common/base.py", line > 797, in request > response = responseCls(**kwargs) > File "/usr/lib/python2.7/dist-packages/libcloud/common/base.py", line > 145, in __init__ > self.object = self.parse_body() > File "/usr/lib/python2.7/dist-packages/libcloud/common/google.py", line > 287, in parse_body > raise GoogleBaseError(message, self.status, code) > libcloud.common.google.GoogleBaseError: {'domain': 'global', 'message': > 'Insufficient Permission', 'reason': 'insufficientPermissions'} > > I don't understand why there is insufficient permissions. I've created a > service account which I initialized in the instance and I can successful > use the gcloud cli. > > Example: > ~/ansible/inventory$ gcloud auth list > Credentialed Accounts: > - [email protected] > - b*******@REDACTED.iam.gserviceaccount.com ACTIVE > To set the active account, run: > $ gcloud config set account `ACCOUNT` > > ~/ansible/inventory$ gcloud compute instances list > NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP > STATUS > jump us-east1-b f1-micro 10.142.0.2 REDACTED > RUNNING > inst1 us-east1-b f1-micro 10.142.0.3 > RUNNING > inst2 us-east1-b f1-micro 10.142.0.4 > RUNNING > inst3 us-east1-b f1-micro 10.142.0.5 > RUNNING > > > ~/ansible/inventory$ cat secrets.py > GCE_PARAMS = ('', '') > GCE_KEYWORD_PARAMS = {'project': 'REDACTED', 'datacenter': 'us-east1-b'} > > The docs says you can leave the GCE_PARAMS blank if you are doing this > from an instance within the project. I've tried both ways and I can't get > past this permissions issue. I've made the service account owner and it > hasn't helped. > > ~/ansible/inventory$ cat gce.ini > [gce] > libcloud_secrets = /home/REDACTED/ansible/inventory/secrets.py > > # If you are not going to use a 'secrets.py' file, you can set the > necessary > # authorization parameters here. > #gce_service_account_email_address = b*******@ > REDACTED.iam.gserviceaccount.com > #gce_service_account_pem_file_path = > /home/REDACTED/S********************a.json > #gce_project_id = "REDACTED" > #gce_zone = > https://www.googleapis.com/compute/v1/projects/REDACTED/zones/us-east1-b > > Note: The above parameters are commented out because I am using > secrets.py. I've tried with just these values alone and commenting out the > "libcloud_secrets" but that didn't help. > > ~/ansible/inventory$ echo $GCE_INI_PATH > /home/REDACTED/ansible/inventory/gce.ini <---tried both with only the > path and also the filename and same result > > Is there are definitive guide posted by Google on the exact steps to make > this work? A dynamic inventory isn't mission critical but it would > certainly make life easier down the road when I start automating instance > deployment. It seems like this is taking too much effort to get right and > there has to be a simple way to make this work. Between this ansible doc > and the commented info in the gce.ini there is conflicting info. > > For craps and giggles I used this openssl command to convert a newly > created key for the same service account to *.pem. I then entered this > info into the secrets.py and attempted to run the ./gce.py --list again and > it still failed. Same error. Sigh.... > > openssl pkcs12 -in pkey.pkcs12 -passin pass:notasecret -nodes -nocerts | > openssl rsa -out pkey.pem > > ~/ansible/inventory$ cat secrets.py > GCE_PARAMS = ('b*******@REDACTED.iam.gserviceaccount.com', > '/home/REDACTED/servkey.pem') > GCE_KEYWORD_PARAMS = {'project': 'REDACTED', 'datacenter': 'us-east1-b'} > > @Eric Johnson: Are you out there? :) Help! This should be much > simpler. I'll draft a how to doc and send it to you for peer review if you > help me get past this hump. If it is good enough, maybe it can be posted > online so other don't fight with this. Maybe no one really cares enough > and that is why I don't see enough answers to this problem. Is there any > debugging option I can turn on to get more info on these errors? > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/2417a6ec-f5d2-41d1-ad0c-236a0a581c7f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
