Applying GCP OS Login to Terraform and Ansible

Photo by Atish Sewmangel on Unsplash
  • Creating OS Login resource and adding metadata
  • Parsing uniqueId from the service account
  • Assigning the uniqueId as ansible_user in host inventory

Creating a GCP service account/key/binding

Since this is OS Login, I think gcloud on my desktop is a better choice to create a service account. You can do the same in the GCP console.

Creating OS Login resource and adding metadata

Now we have the service account bound with the OS Login role. We create a resource, “google_os_login_ssh_public_key,” and associate the desktop ssh key with the service account.

Parsing uniqueId from the service account

So far, so good. I created a sample VM and “gcloud compute ssh stan1” did log in my GCE VM with service account uniqueId. However, the “null_resource” local-exec provisioner got a timeout, and OS secure log showed “no such user: ysung.” Now I need to tell ansible what user to ssh (ansible_user).

Conclusion

This is not a perfect solution. The terraform/ansible project now depends on “gcloud CLI” for full automation. It is relatively easy, and changes are minimal because of Terraform module design.

A data nerd started from data center field engineer to cloud database reliability engineer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store