Hi Ned, Sorry to hear that you're having issues with the dynamic inventory. First things to confirm:
* Compute Instance API enabled? * (If you're running on a GCE VM) the scopes of the VM/Role permissions of the service account * Versions of ansible and libcloud (various bugs have been fixed, so the versions are important to note) For debugging, you can do the following: export LIBCLOUD_DEBUG=/tmp/my-logfile.log Which will dump out the HTTP traffic, including curl commands you can run right at the command line (with tokens embedded, so they work). Let us know how it goes. Thanks, Tom On Thursday, April 20, 2017 at 6:12:31 PM UTC-7, Ned Studious wrote: > > Greetings All, > > I'm hoping the community can help with the issue I'm experiencing. I'm > attempting to setup a dynamic inventory using this doc: > http://docs.ansible.com/ansible/guide_gce.html > > So far I'm not having any success as it seems that each error leads to > another down the rabbit hole I go.... > > Error: > ~/ansible/inventory$ ./gce.py --list > Traceback (most recent call last): > File "./gce.py", line 484, in <module> > GceInventory() > File "./gce.py", line 161, in __init__ > self.driver = self.get_gce_driver() > File "./gce.py", line 304, in get_gce_driver > gce = get_driver(Provider.GCE)(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/libcloud/compute/drivers/gce.py", > line 1058, in __init__ > self.zone_list = self.ex_list_zones() > File "/usr/lib/python2.7/dist-packages/libcloud/compute/drivers/gce.py", > line 1790, in ex_list_zones > response = self.connection.request(request, method='GET').object > File "/usr/lib/python2.7/dist-packages/libcloud/compute/drivers/gce.py", > line 120, in request > response = super(GCEConnection, self).request(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/libcloud/common/google.py", line > 718, in request > *args, **kwargs) > File "/usr/lib/python2.7/dist-packages/libcloud/common/base.py", line > 797, in request > response = responseCls(**kwargs) > File "/usr/lib/python2.7/dist-packages/libcloud/common/base.py", line > 145, in __init__ > self.object = self.parse_body() > File "/usr/lib/python2.7/dist-packages/libcloud/common/google.py", line > 287, in parse_body > raise GoogleBaseError(message, self.status, code) > libcloud.common.google.GoogleBaseError: {'domain': 'global', 'message': > 'Insufficient Permission', 'reason': 'insufficientPermissions'} > > I don't understand why there is insufficient permissions. I've created a > service account which I initialized in the instance and I can successful > use the gcloud cli. > > Example: > ~/ansible/inventory$ gcloud auth list > Credentialed Accounts: > - [email protected] > - b*******@REDACTED.iam.gserviceaccount.com ACTIVE > To set the active account, run: > $ gcloud config set account `ACCOUNT` > > ~/ansible/inventory$ gcloud compute instances list > NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP > STATUS > jump us-east1-b f1-micro 10.142.0.2 REDACTED > RUNNING > inst1 us-east1-b f1-micro 10.142.0.3 > RUNNING > inst2 us-east1-b f1-micro 10.142.0.4 > RUNNING > inst3 us-east1-b f1-micro 10.142.0.5 > RUNNING > > > ~/ansible/inventory$ cat secrets.py > GCE_PARAMS = ('', '') > GCE_KEYWORD_PARAMS = {'project': 'REDACTED', 'datacenter': 'us-east1-b'} > > The docs says you can leave the GCE_PARAMS blank if you are doing this > from an instance within the project. I've tried both ways and I can't get > past this permissions issue. I've made the service account owner and it > hasn't helped. > > ~/ansible/inventory$ cat gce.ini > [gce] > libcloud_secrets = /home/REDACTED/ansible/inventory/secrets.py > > # If you are not going to use a 'secrets.py' file, you can set the > necessary > # authorization parameters here. > #gce_service_account_email_address = b*******@ > REDACTED.iam.gserviceaccount.com > #gce_service_account_pem_file_path = > /home/REDACTED/S********************a.json > #gce_project_id = "REDACTED" > #gce_zone = > https://www.googleapis.com/compute/v1/projects/REDACTED/zones/us-east1-b > > Note: The above parameters are commented out because I am using > secrets.py. I've tried with just these values alone and commenting out the > "libcloud_secrets" but that didn't help. > > ~/ansible/inventory$ echo $GCE_INI_PATH > /home/REDACTED/ansible/inventory/gce.ini <---tried both with only the > path and also the filename and same result > > Is there are definitive guide posted by Google on the exact steps to make > this work? A dynamic inventory isn't mission critical but it would > certainly make life easier down the road when I start automating instance > deployment. It seems like this is taking too much effort to get right and > there has to be a simple way to make this work. Between this ansible doc > and the commented info in the gce.ini there is conflicting info. > > For craps and giggles I used this openssl command to convert a newly > created key for the same service account to *.pem. I then entered this > info into the secrets.py and attempted to run the ./gce.py --list again and > it still failed. Same error. Sigh.... > > openssl pkcs12 -in pkey.pkcs12 -passin pass:notasecret -nodes -nocerts | > openssl rsa -out pkey.pem > > ~/ansible/inventory$ cat secrets.py > GCE_PARAMS = ('b*******@REDACTED.iam.gserviceaccount.com', > '/home/REDACTED/servkey.pem') > GCE_KEYWORD_PARAMS = {'project': 'REDACTED', 'datacenter': 'us-east1-b'} > > @Eric Johnson: Are you out there? :) Help! This should be much > simpler. I'll draft a how to doc and send it to you for peer review if you > help me get past this hump. If it is good enough, maybe it can be posted > online so other don't fight with this. Maybe no one really cares enough > and that is why I don't see enough answers to this problem. Is there any > debugging option I can turn on to get more info on these errors? > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0e0d1e18-e7e4-43bd-9e73-4a1d6afbec3f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
