Say, did you ever find a better solution here? Because I've run into the same problem recently, and...well, it's ugly.
I saw that this ticket had been filed against Ansible: https://github.com/ansible/ansible/issues/66310 ...but was auto-closed by ansibot when all this stuff got moved to the GCP collection. So I've filed my own feature request against that repo: https://github.com/ansible-collections/google.cloud/issues/373 We'll see if anybody picks it up over there. My sense is that a number of folks have had the Ansible-over-IAP problem; one of these days, GCP really ought to support a proper solution... On Monday, November 25, 2019 at 12:16:11 PM UTC-6 [email protected] wrote: > I am required to tunnel through IAP with service account credentials. > > I have overridden my ssh binary, ‘ssh_executable=script.sh’, creating a > ‘gcloud compute ssh xxxx —tunnel-through-iap’ wrapper, where I regex ssh > arguments into the gcloud command. > > For tunneling to work I must > 1. Run my playbook with my instance IP in the hosts variable of my playbook > 2. Hardcode my compute instance hostname for my ssh wrapper connection. > 3. This always makes an initial connection but always fails to run the > command. No matter my regex there is always extra “, ‘ or something. > 4. Comment out my ‘ssh_execution’ wrapper overriding in ansible.cfg > 5. Run my playbook again which runs successfully. > > > Running the playbook with the gcp plugin will only list available > instances but will never ssh successfully without a previously opened > gcloud session. > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/49aa114a-ef11-428b-a6e5-3c8dbd672ce5n%40googlegroups.com.
