Use Ansible to manage GCE instances from within Cloud Shell

Question

I'm attempting to use ansible to run a playbook against an existing GCE instance from within Google Cloud Shell (which to my understanding is itself a special GCE instance)

The GCE Guide makes it sound like it should maybe automatically pick up the credentials if I leave them blank.

When running Ansible inside a GCE VM you can use the service account credentials from the local metadata server by setting both service_account_email and credentials_file to a blank string.

However, the ssh attempt fails. Do I need to still do something to allow GCE --> GCE ssh? Do I maybe need to specify what user to use for the ssh attempt? If anyone has a working example that'd be excellent.

Edit: I've added a project wide ssh key for my google user (the user returned by 'whoami' when I logon to an instance or cloud shell) using these instructions, but I still cannot shh to other instances either manually or with ansible.

Chad Autry Chad Autry · Accepted Answer · 2017-03-26T19:08:23

From my searches (for example projects, comments, forum questions etc), it does not seem possible via settings to make Ansible automatically connect to other GCE instances without setting up ssh keys.

However, 'gcloud compute ssh' can automatically connect to other GCE instances from within GCE. I suspect (and am making an attempt) that a script which mimics the ssh api used by Ansible, but delegates to gcloud could allow Ansible to work without key management.

Use Ansible to manage GCE instances from within Cloud Shell

2 Answers