I have a gitlab CI project set up and working for terraform by following the steps outlined here:
https://ael-computas.medium.com/gcp-workload-identity-federation-on-gitlab-passing-authentication-between-jobs-ffaa2d51be2c
It essentially sets the following variables to be used:
- export GOOGLE_APPLICATION_CREDENTIALS=$CI_PROJECT_DIR/_auth/.gcp_temp_cred.json
- export CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=$CI_PROJECT_DIR/_auth/.gcp_temp_cred.json
- export GOOGLE_GHA_CREDS_PATH=$CI_PROJECT_DIR/_auth/.gcp_temp_cred.json
- export GOOGLE_CLOUD_PROJECT=$(cat $CI_PROJECT_DIR/_auth/.GOOGLE_CLOUD_PROJECT)
- export CLOUDSDK_PROJECT=$(cat $CI_PROJECT_DIR/_auth/.GOOGLE_CLOUD_PROJECT)
- export CLOUDSDK_CORE_PROJECT=$(cat $CI_PROJECT_DIR/_auth/.GOOGLE_CLOUD_PROJECT)
- export GCP_PROJECT=$(cat $CI_PROJECT_DIR/_auth/.GOOGLE_CLOUD_PROJECT)
- export GCLOUD_PROJECT=$(cat $CI_PROJECT_DIR/_auth/.GOOGLE_CLOUD_PROJECT)
This all works fine in my terraform setup, but when trying to run my ansible tasks, it doesn't seem to be using the service account. It's just using a generic service account and I can't figure out how to change it. I get this error:
ERROR: (gcloud.compute.ssh) User [ephemeral-runner@gitlab-ci-plan-free-6-xxxxx.iam.gserviceaccount.com] does not have permission to access users instance [ephemeral-runner@gitlab-ci-plan-free-6-xxxxx.iam.gserviceaccount.com] (or it may not exist)
This is not the service account that I've set the GOOGLE_APPLICATION_CREDENTIALS variable to. Any ideas how to get it to use that account in a gitlab runner?
Thanks!
