New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gce module errors on file not found when using OAuth client authentication #17075
Comments
Which check? |
Referring to https://github.com/ansible/ansible/blob/devel/lib/ansible/module_utils/gcp.py#L88-L100 ? # We have credentials but lets make sure that if they are JSON we have the minimum
# libcloud requirement met
try:
# Try to read credentials as JSON
with open(credentials_file) as credentials:
json.loads(credentials.read())
# If the credentials are proper JSON and we do not have the minimum
# required libcloud version, bail out and return a descriptive error
if LooseVersion(libcloud.__version__) < '0.17.0':
module.fail_json(msg='Using JSON credentials but libcloud minimum version not met. '
'Upgrade to libcloud>=0.17.0.')
return None
except ValueError, e:
# Not JSON
pass |
yes, that check |
While a client ID and a client secret could technically work in place of a service e-mail and a JSON file, respectively (assuming the check were removed), neither the GCP module nor the Ansible modules that call it have ever claimed to support any authentication method other than service accounts. As such, I think this issue should be labeled as a feature idea rather than a bug report. With respect to supporting the Installed Application auth method, I'd prefer to use new parameters for client id and client secret, rather than overloading the existing service account parameters. This would:
|
I'm fine using new parameters (I agree that the naming is unfortunate) but as far as I can tell, the environment variable used by ansible are the same as the ones used by libcloud in their examples. I guess they are convention based (the gce.py inventory script also use them but is not failing on client), but this might add to the confusion. More generally, I wonder if having dfferent variables used for different types of authentication is worth it since:
Currently I only need to relax the gcp.py module validation of the arguments, which should be okay as libcloud performs validation too: |
I believe this check also causes issue regarding GCE internal authentication (the ability to get the credentials from a GCE VM metadata). According to Ansible documentation (https://docs.ansible.com/ansible/guide_gce.html#credentials), this is supported and you need to pass empty strings for both |
To confirm that internal authorization is also broken:
(this error is because empty (but None) module arguments are ignored) if using environment variables instead:
|
GCE internal authorization or installed application authentications stopped working when checking if the credentials_file is actually a JSON file. Skipping over the check if the file doesn't exist, and also fixing module arguments not being used for internal authorization. Fixes ansible#17075
GCE internal authorization or installed application authentications stopped working when checking if the credentials_file is actually a JSON file. Skipping over the check if the file doesn't exist, and also fixing module arguments not being used for internal authorization. Fixes ansible#17075
GCE internal authorization or installed application authentications stopped working when checking if the credentials_file is actually a JSON file. Skipping over the check if the file doesn't exist, and also fixing module arguments not being used for internal authorization. Fixes ansible#17075
Hi Folks, Regarding Application Default Credentials (the ability to not specify creds when running on a GCE instance), we've recently added support for it in this PR: #22723. It's currently scheduled for the 2.4 release (unfortunately, we didn't get it finished in time for 2.3). |
GCE internal authorization or installed application authentications stopped working when checking if the credentials_file is actually a JSON file. Skipping over the check if the file doesn't exist, and also fixing module arguments not being used for internal authorization. Fixes ansible#17075
GCE internal authorization or installed application authentications stopped working when checking if the credentials_file is actually a JSON file. Skipping over the check if the file doesn't exist, and also fixing module arguments not being used for internal authorization. Fixes ansible#17075
resolved_by_pr #22723 |
ISSUE TYPE
COMPONENT NAME
gce module_util
ANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
N/A
SUMMARY
It is possible to connect to GCE using a clientId (feature named Installed Application authentication in apache-libcloud), which is useful when you want users to interact with GCE without creating service accounts and sharing credentials amongst your org.
In that mode, the GCE credential is not a json file, but the client secret string for the given clientId. Unfortunately a check in lib/module_utils/gce.py prevents the use of this authentication mode.
STEPS TO REPRODUCE
open Google Cloud Console > API Manager > credentials
click on Create credentials > OAuth client id
choose Application Type: Other
note the client id/client secret
EXPECTED RESULTS
ansible command should create a test instance (it might ask the user to open a browser to get a token id, but if user is already logged in, there's no interaction)
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: