我有一段时间让我的Google服务帐户从bitbucket管道进入我们的计算引擎实例。
Script:
gcloud compute ssh instance1 --zone us-central1-a --quiet --verbosity=info --command="gracefully shutdown processes" && \
gcloud compute scp ~/ instance1:~/ --zone us-central1-a --quiet --recurse --compress && \
gcloud compute ssh instance1 --zone us-central1-a --quiet --verbosity=info --command="start the services"
ERROR: (gcloud.compute.ssh) Could not SSH into the instance. It is possible that your SSH key has not propagated to the instance yet. Try running this command again. If you still cannot connect, verify that the firewall and instance are set to accept ssh traffic.
Permission denied (publickey).
lost connection
ERROR: (gcloud.compute.scp) [/usr/bin/scp] exited with return code [1].
我甚至尝试过没有gcloud的老式SSH方式。我使用metadata将公钥添加到实例中。我可以在我的本地机器上SSH,但是使用bitbucket管道,我得到一个权限被拒绝错误。
script:
- echo $PRIVATE_SSH_KEY > ./ssh_key
- chmod 400 ssh_key
- ssh -t -t -i ssh_key bitbucket-service-account@<IP>
Permission denied (publickey).
我怎么可能做错了?
需要https://www.googleapis.com/auth/compute这个角色。将该角色添加到VM的服务帐户[1]。遗憾的是,尚未在Google Cloud文档中记录。
[1] https://cloud.google.com/iam/docs/granting-roles-to-service-accounts
感谢您帮助Alessio。我在挖掘后能够弄明白。
ssh -i ~/.ssh/config <Bitbucket-Username>@<IP-OF-VM>