Google Compute SSH Fails


Having some specific issues with deploying to google compute engine. Basically I’m attempting to run a simple gcloud compute ssh - what tends to happen is either:

a) gcloud cannot find the ssh key
b) I get a Permission denied (publickey).

Some background on a) is that I can’t add a key named google_compute_engine (CircleCI refuses to add underscores it seems). However, I can still add the ssh key say, google-compute-engine, and then rename it to google_compute_engine during the pre-installation.

However, the key still fails - the pub refuses to be accepted. Only thing I can think of is it being the decrypted SSH key rather than the encrypted one. That being said, I’m all out of ideas. It seems that the gcloud ssh is refused no matter what key / steps I take.

(Also the key I’m using is the one I use locally to get into the server - which works fine).

Any ideas?

Ok so didn’t exactly get the gcloud compute ssh to work - I had to just abandon that concept.

What I did in the end was:

  1. Log into the google compute engine instance via the web command console.

  2. Generate the ssh key on the server using ssh-keygen -t rsa -f ~/.ssh/[KEY_FILE_NAME] -C [USERNAME]. Make sure to chmod 400 the private key file.

  3. copy the output of [KEY_FILE_NAME].pub to the authorized_keys list (an auto generated file that google uses for ssh keys).

4a) Go to your localhost (or whatever machine) and add the [KEY_FILE_NAME] secret key to your ~/.ssh key folder - or whatever directory you chose. Make sure to also chmod 400 this file.

4b) You can also add this same key to circle-ci in the ssh settings of your project. Just create a new key, name it the same as the key file you’ll use in the ssh command, and copy the entire contents of the private key to the value field.

  1. run the command ssh -i ~/.ssh/[KEY_FILE] [USERNAME]@[INSTANCE_IP_ADDRESS] (or add this command to your circle-ci.yml file).

  2. To run a command you can simply do ssh -i ~/.ssh/[KEY_FILE] [USERNAME]@[INSTANCE_IP_ADDRESS] echo test and replace echo test with whatever command you want.

And that should be everything you need to ssh into a google compute instance and allow circle ci access.

1 Like

Thanks for sharing your experience and solution!

To clarify point 4b).
Here’s what worked for me. Copy the private key from your local system that you created for gcloud and add it CircleCI as SSH Key.
There’s no name field, just a host name field. Use gcloud for example.

Then in your build steps, you can use gcloud compute scp like this (note the name of the key file is id_glcoud:

sudo /opt/google-cloud-sdk/bin/gcloud compute scp --ssh-key-file ~/.ssh/id_gcloud --zone "us-west1-b" yourfile yourinstance:./somedir

The existing documentation for gcloud compute should be revised since the JSON API key mechanism is not sufficient if you want to copy to your compute instances directly.