GCE service account: "RSA key format is not supported"
1,312 views
Skip to first unread message
Michael W. Lucas
Jun 5, 2014, 12:13:44 PM6/5/14
to ansible...@googlegroups.com
Hi,
I'm running
$ ansible --version
ansible 1.7 (devel 74f20ebf79) last updated 2014/06/04 11:36:10 (GMT -400)
on a week-old OpenBSD snapshot.
I'm trying to get Google Compute Engine running with a service
account, following instructions from:
http://docs.ansible.com/guide_gce.html
I have one test instance up, just so Ansible can see it. When I run
gce.py, I get:
$ ./gce.py --list
Traceback (most recent call last):
File "./gce.py", line 257, in <module>
GceInventory()
File "./gce.py", line 101, in __init__
self.driver = self.get_gce_driver()
File "./gce.py", line 157, in get_gce_driver
gce = get_driver(Provider.GCE)(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/libcloud/compute/drivers/gce.py", line 536, in __init__
super(GCENodeDriver, self).__init__(user_id, key, **kwargs)
File "/usr/local/lib/python2.7/site-packages/libcloud/compute/base.py", line 636, in __init__
api_version=api_version, **kwargs)
File "/usr/local/lib/python2.7/site-packages/libcloud/common/base.py", line 950, in __init__
self.connection = self.connectionCls(*args, **conn_kwargs)
File "/usr/local/lib/python2.7/site-packages/libcloud/compute/drivers/gce.py", line 75, in __init__
**kwargs)
File "/usr/local/lib/python2.7/site-packages/libcloud/common/google.py", line 523, in __init__
self.token_info = self.auth_conn.get_new_token()
File "/usr/local/lib/python2.7/site-packages/libcloud/common/google.py", line 438, in get_new_token
key = RSA.importKey(self.key)
File "/usr/local/lib/python2.7/site-packages/Crypto/PublicKey/RSA.py", line 682, in importKey
raise ValueError("RSA key format is not supported")
ValueError: RSA key format is not supported
Any idea why?
My config files follow (I've made minor changes to obfuscate actual
project numbers and such, but the number of characters all stays the
same):
My gce.ini is:
$ grep -v ^# gce.ini
[gce]
libcloud_secrets = /etc/ansible/secrets.py
secrets.py is:
GCE_PARAMS = ('764898231355-irjfbhu4j...@developer.gserviceaccount.com', '/home/ansible/gce-cert.pem')
GCE_KEYWORD_PARAMS = {'project': 'vast-service-302'}
I created the PEM file with:
$ openssl.exe pkcs12 -in 4f5c41f18ceeed58b36e4cd77c7c40ce8fee55c6-privatekey.p12 -nodes -nocerts | openssl rsa -out gce-key3.pem
Enter Import Password:
MAC verified OK
writing RSA key
$
And the file gce-cert.pem contains:
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3hj9hSQjC211qbEK6yMepjeIv53DF0OdkJI1TynH5UN0er4BN
7jnOaGf/BWrwIIKFbLrbSF9XlDjJ4PA+PLzQCmSGRwI4+OOZ/1TRyom+Wpv9owRl
...
rmc86L3+SpMdc4ZfmwJAM60M4jCeKh+ZEWqUvhTVFvaOM1VXVAEJCIs5nvIL8Vao
nzSQW7YBrjlG7/o0AaTJEJaVN8KXQgkS0etKUFOHnA==
-----END RSA PRIVATE KEY-----
Having read the archives on this error message:
I'm pretty confident that this is an actual RSA key, as file(1)
recognizes it as such.
The OpenBSD box has py-libcloud-0.14.1.
The Ansible host can talk to Google Cloud -- I can run gcutil as
ansible, with it logged in using my Google account. But I'd really
rather use the service account for this.
Any suggestions?
==ml
--
Michael W. Lucas - mwl...@michaelwlucas.com, Twitter @mwlauthor
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
I'm running
$ ansible --version
ansible 1.7 (devel 74f20ebf79) last updated 2014/06/04 11:36:10 (GMT -400)
on a week-old OpenBSD snapshot.
I'm trying to get Google Compute Engine running with a service
account, following instructions from:
http://docs.ansible.com/guide_gce.html
I have one test instance up, just so Ansible can see it. When I run
gce.py, I get:
$ ./gce.py --list
Traceback (most recent call last):
File "./gce.py", line 257, in <module>
GceInventory()
File "./gce.py", line 101, in __init__
self.driver = self.get_gce_driver()
File "./gce.py", line 157, in get_gce_driver
gce = get_driver(Provider.GCE)(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/libcloud/compute/drivers/gce.py", line 536, in __init__
super(GCENodeDriver, self).__init__(user_id, key, **kwargs)
File "/usr/local/lib/python2.7/site-packages/libcloud/compute/base.py", line 636, in __init__
api_version=api_version, **kwargs)
File "/usr/local/lib/python2.7/site-packages/libcloud/common/base.py", line 950, in __init__
self.connection = self.connectionCls(*args, **conn_kwargs)
File "/usr/local/lib/python2.7/site-packages/libcloud/compute/drivers/gce.py", line 75, in __init__
**kwargs)
File "/usr/local/lib/python2.7/site-packages/libcloud/common/google.py", line 523, in __init__
self.token_info = self.auth_conn.get_new_token()
File "/usr/local/lib/python2.7/site-packages/libcloud/common/google.py", line 438, in get_new_token
key = RSA.importKey(self.key)
File "/usr/local/lib/python2.7/site-packages/Crypto/PublicKey/RSA.py", line 682, in importKey
raise ValueError("RSA key format is not supported")
ValueError: RSA key format is not supported
Any idea why?
My config files follow (I've made minor changes to obfuscate actual
project numbers and such, but the number of characters all stays the
same):
My gce.ini is:
$ grep -v ^# gce.ini
[gce]
libcloud_secrets = /etc/ansible/secrets.py
secrets.py is:
GCE_PARAMS = ('764898231355-irjfbhu4j...@developer.gserviceaccount.com', '/home/ansible/gce-cert.pem')
GCE_KEYWORD_PARAMS = {'project': 'vast-service-302'}
I created the PEM file with:
$ openssl.exe pkcs12 -in 4f5c41f18ceeed58b36e4cd77c7c40ce8fee55c6-privatekey.p12 -nodes -nocerts | openssl rsa -out gce-key3.pem
Enter Import Password:
MAC verified OK
writing RSA key
$
And the file gce-cert.pem contains:
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3hj9hSQjC211qbEK6yMepjeIv53DF0OdkJI1TynH5UN0er4BN
7jnOaGf/BWrwIIKFbLrbSF9XlDjJ4PA+PLzQCmSGRwI4+OOZ/1TRyom+Wpv9owRl
...
rmc86L3+SpMdc4ZfmwJAM60M4jCeKh+ZEWqUvhTVFvaOM1VXVAEJCIs5nvIL8Vao
nzSQW7YBrjlG7/o0AaTJEJaVN8KXQgkS0etKUFOHnA==
-----END RSA PRIVATE KEY-----
Having read the archives on this error message:
I'm pretty confident that this is an actual RSA key, as file(1)
recognizes it as such.
The OpenBSD box has py-libcloud-0.14.1.
The Ansible host can talk to Google Cloud -- I can run gcutil as
ansible, with it logged in using my Google account. But I'd really
rather use the service account for this.
Any suggestions?
==ml
--
Michael W. Lucas - mwl...@michaelwlucas.com, Twitter @mwlauthor
http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/
Michael DeHaan
Jun 6, 2014, 8:39:10 AM6/6/14
to ansible...@googlegroups.com
I don't know about this one, maybe some of the GCE folks involved with the module can chime in.
A traceback is very much a bug, so please make sure one is filed and we can get Eric Johnsons's attention on it on GitHub.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/20140605161326.GA19019%40bewilderbeast.blackhelicopters.org.
For more options, visit https://groups.google.com/d/optout.
Eric Johnson
Jun 6, 2014, 1:06:31 PM6/6/14
to ansible...@googlegroups.com
Hi Michael (Lucas),
First, I'd suggest deleting that service account and creating new one since I believe you've shared a bit too much information. :)
As for the traceback, I'm not sure what you're getting that error. It looks like you've done everything to get set up just fine. I've never tried this on a FreeBSD system, so I'll see if I can fire up an instance with that and see if I can replicate. I'll follow up by Monday.
But do whack those credentials straight away!
But do whack those credentials straight away!
Eric
GCE_PARAMS = ('764898231355-irjfbhu4jv...@developer.gserviceaccount.com', '/home/ansible/gce-cert.pem')
Michael Lucas
Jun 19, 2014, 1:24:23 PM6/19/14
to ansible...@googlegroups.com
On Friday, June 6, 2014 1:06:31 PM UTC-4, Eric Johnson wrote:
But do whack those credentials straight away!
I should have mentioned, those credentials were changed for just that reason... altered many characters to obscure them, but left them the exact same length and format.
Just updated Ansible and tried again, same result.
Issue #7845 filed.
Reply all
Reply to author
Forward
0 new messages