Packer issue: Non-retryable tunnel error: ERROR: (gcloud.auth.activate-service-account)

[hc-github-team-packer]

This issue was originally opened by @ketanjoshi10 in https://github.com/hashicorp/packer/issues/11245 and has been migrated to this repository. The original issue description is below.

---

Overview of the Issue

I am trying to create a simple image using Packer in GCP. I have all the required access to GCP console through CLI. On triggering the Packer.json script it fails with below error:

==> googlecompute: Step Launch IAP Tunnel...
==> googlecompute: Non-retryable tunnel error: ERROR: (gcloud.auth.activate-service-account) Unable to read file []: [Errno 2] No such file or directory: ''
==> googlecompute:

Can anyone suggest a resolution for this?

Reproduction Steps

• First created the VPC, subnet and firewall rule to allow ssh IAP access in this VPC.

• I have created a service account with the following permissions:

Compute Admin Compute Instance Admin (v1) IAP-secured Tunnel User Monitoring Metric Writer Secret Manager Secret Accessor Storage Object Viewer

• The same packer.json was running fine 2 weeks ago. Suddenly it started to fail with the specified error on triggering.

Packer version

Tried on 1.7.4 as well as 1.6.6

Simplified Packer Buildfile

{ "variables": { "project_id": "my-gcp-project", "image_name": "my-packer-image", "instance_name": "my-packer-instance", "service_account_email": "my-service-account@my-gcp-project.iam.gserviceaccount.com", "zone": "us-east4-c", "subnetwork": "my-gcp-subnet" },

"builders": [
  {
    "type": "googlecompute",
    "image_name": "{{user `image_name`}}",
    "project_id": "{{user `project_id`}}",
    "source_image": "debian-10-buster-v20210701",
    "instance_name": "{{user `instance_name`}}",
    "machine_type": "e2-micro",
    "preemptible": true,
    "disk_size": "30",
    "disk_type": "pd-standard",
    "ssh_username": "packer",
    "zone": "{{user `zone`}}",
    "service_account_email": "{{user `service_account_email`}}",
    "use_iap": true,
    "omit_external_ip": true,
    "use_internal_ip": true,
    "subnetwork": "{{user `subnetwork`}}",
    "labels": {"environment":"prod", "group_name": "mgmt-group", "purpose": "baseimage"},
    "tags": ["allow-iap-ssh"],
    "scopes":  [
        "https://www.googleapis.com/auth/cloud-platform"
      ]
  }
],

"provisioners": [
  {
  "type": "file",
  "source": "metadata.sh",
  "destination": "/tmp/metadata.sh"
  },
  {
    "type": "shell",
    "inline": [
      "sudo bash /tmp/metadata.sh"
    ]
  }

[jonsulman]

I ran into this issue. Google support told me they had updated the behavior of IAP so that it returns the 4047 error code in cases where a Compute Engine instance is still being created. They've added this code to the IAP documentation. Packer should treat 4047 as a retryable error.

[nywilken]

Hi there @ketanjoshi10, apologies for the delayed response here. I believe this issue has been resolved in the latest release of Packer and the Google Compute plugin. I'm going to close this issue. But please upgrade and advise if you are still running into issues here.