Broken OSLogin service account authentication on Packer 1.0.10

[ralbertazzi]

Overview of the Issue

Service account authentication with OSLogin does not work on Packer 1.0.10. Reverting to Packer 1.0.9 solved the issue. My wild guess is that this PR may have caused the issue

Reproduction Steps

Authentication is performed through both the gcloud CLI and GOOGLE_APPLICATION_CREDENTIALS environment variable. They both use a service account key.

gcloud auth activate-service-account --key-file /tmp/.service-account-key.json
export GOOGLE_APPLICATION_CREDENTIALS="/tmp/.service-account-key.json"

Run packer build trying to provision a VM with use_os_login = true

Plugin and Packer version

From plugin version: 1.0.10

Simplified Packer Buildfile

source "googlecompute" "cos_image" {
  enable_integrity_monitoring = true
  enable_secure_boot          = true
  enable_vtpm                 = true
  metadata = {
    enable-oslogin-2fa = "FALSE"
  }
  omit_external_ip        = true
  service_account_email   = local.service_account_email
  subnetwork              = local.network
  use_iap                 = true
  use_internal_ip         = true
  use_os_login            = true
  // Other parameter omitted for simplicity
}

Operating system and Environment details

Linux

Log Fragments and crash.log files

2022-01-31T09:58:37Z: ==> googlecompute.cos_image: Checking image does not exist...
2022-01-31T09:58:37Z: ==> googlecompute.cos_image: Creating temporary RSA SSH key for instance...
2022-01-31T09:58:37Z: ==> googlecompute.cos_image: Importing SSH public key for OSLogin...
2022-01-31T09:58:42Z: ==> googlecompute.cos_image: All options for deriving the OSLogin user have been exhausted
2022-01-31T09:58:42Z: ==> googlecompute.cos_image: Deleting SSH public key for OSLogin...
2022-01-31T09:58:42Z: ==> googlecompute.cos_image: Error deleting SSH public key for OSLogin. Please delete it manually.
==> googlecompute.cos_image: 
==> googlecompute.cos_image: Error: googleapi: Error 401: End user credentials not provided.
2022-01-31T09:58:42Z: Build 'googlecompute.cos_image' errored after 5 seconds 729 milliseconds: All options for deriving the OSLogin user have been exhausted

==> Wait completed after 5 seconds 729 milliseconds

==> Some builds didn't complete successfully and had errors:
--> googlecompute.cos_image: All options for deriving the OSLogin user have been exhausted

[nywilken]

hi @ralbertazzi we will take a look at what is going on here and work to get it resolved in time for the next release. Most likely within the next two weeks. For now as you said the workaround is to continue using v1.0.9 of the Google Compute Packer plugin if OSLogin is required.

The latest release of the plugin does contain SSH enhancements for some of the new Linux distributions so this poses a problem if oslogin is borked. I'll take a look shortly to see if a fix can get out sooner.

[nywilken]

@ralbertazzi I believe you are referring to the version of the Google Compute plugin (v1.0.10) and not the version of Packer itself which is currently at 1.8.2. Seeing as you are using HCL templates I'm pretty sure its the plugin version. But want to confirm for folks who might be following the ticket.

[ralbertazzi]

You are absolutely right, I edited my initial comment

[nywilken]

Hello :wave: thanks again for reporting, this should be fixed by #105. The issue was due to the userinfo.email scope not being available when authenticating using a default token. The PRs contains the necessary updates to fix the issue. There are some test binaries available via the link below if you would like to test the fix.

test binaries

As a workaround, until the fix is released, you can explicitly set the account file path in the configuration.

variable "credentials_file" {
 type = string
 default = env("GOOGLE_APPLICATION_CREDENTIALS")
}

source "googlecompute" "cos_image" {
  use_os_login            = true
  account_file            = var.credentials_file
  // Other parameter omitted for simplicity
}