Closed kazcrn-omnisend closed 1 year ago
I'm setting up GitHub action to run ansible playbook/inventory utilizing GCP Workload identity. It seems I can get access_token from WI, but gcp_compute does not recognize this auth_kind env variable
gcp_compute plugin
gcp_compute
ansible 2.9.6 config file = /tmp/github-runner-dind/ansible-runner/ansible-runner/ansible.cfg configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3/dist-packages/ansible executable location = /usr/bin/ansible python version = 3.8.10 (default, May 26 2023, 14:05:08) [GCC 9.4.0]
1.2.0
INVENTORY_ENABLED(/tmp/github-runner-dind/ansible-runner/ansible-runner/ansible.cfg) = ['gcp_compute']
we use this img - myoung34/github-runner:latest It is based on ubuntu focal
I have configured minimal github workflow:
name: ansible-runner on: workflow_dispatch: jobs: build: runs-on: development-dind permissions: contents: 'read' id-token: 'write' steps: - uses: actions/checkout@v3 - name: Authenticate to Google Cloud id: auth uses: google-github-actions/auth@v0.4.0 with: token_format: 'access_token' workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER_GH_DEVELOPMENT }} service_account: ansible-runner@---HIDDEN---.iam.gserviceaccount.com - name: Install dependencies run: apt-get install ansible python3-requests python3-google-auth -y - name: test run env: GCP_ACCESS_TOKEN: "${{ steps.auth.outputs.access_token }}" GCP_AUTH_KIND: "accesstoken" run: ansible-inventory -i inventory/development --list
I have used env variables to set auth_kind and access_token parameters, so inventory file looks like this:
auth_kind
access_token
--- plugin: gcp_compute projects: - ---HIDDEN--- filters: - name = development-mongodb-c1-* groups: mongod: name.startswith('development-mongodb-c1-s') mongoc: name.startswith('development-mongodb-c1-config-') mongos: name.startswith('development-mongodb-c1-mongos-n1-') hostnames: - name keyed_groups: - prefix: zone key: zone|last - prefix: mongod key: name.split("-")[3] compose: ansible_host: name
ansible-inventory -i inventory/development --list
Expected to have ansible inventory listed
Run ansible-inventory -i inventory/development --list ansible-inventory -i inventory/development --list shell: /usr/bin/bash -e {0} env: CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /tmp/github-runner-dind/_temp/059aac5e8bd158dc89[2]... GOOGLE_APPLICATION_CREDENTIALS: /tmp/github-runner-dind/_temp/0[5](---HIDDEN---)9aac5e8bd158dc89205113 CLOUDSDK_PROJECT: ---HIDDEN--- CLOUDSDK_CORE_PROJECT: ---HIDDEN--- GCP_PROJECT: ---HIDDEN--- GCLOUD_PROJECT: ---HIDDEN--- GOOGLE_CLOUD_PROJECT: ---HIDDEN--- GCP_ACCESS_TOKEN: *** GCP_AUTH_KIND: accesstoken Warning: : * Failed to parse /tmp/github-runner-dind/ansible-runner/ansible- runner/inventory/development/inventory.gcp.yaml with gcp_compute plugin: Credential type 'accesstoken' not implemented Warning: : Unable to parse /tmp/github-runner-dind/ansible-runner/ansible- runner/inventory/development/inventory.gcp.yaml as an inventory source Warning: : Unable to parse /tmp/github-runner-dind/ansible-runner/ansible- runner/inventory/development as an inventory source Warning: : No inventory was parsed, only implicit localhost is available { "_meta": { "hostvars": {} }, "all": { "children": [ "ungrouped" ] } }
FYI works correctly with ansible 2.10
SUMMARY
I'm setting up GitHub action to run ansible playbook/inventory utilizing GCP Workload identity. It seems I can get access_token from WI, but gcp_compute does not recognize this auth_kind env variable
ISSUE TYPE
COMPONENT NAME
gcp_compute
pluginANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
we use this img - myoung34/github-runner:latest It is based on ubuntu focal
STEPS TO REPRODUCE
I have configured minimal github workflow:
I have used env variables to set
auth_kind
andaccess_token
parameters, so inventory file looks like this:EXPECTED RESULTS
Expected to have ansible inventory listed
ACTUAL RESULTS