从CD管道通过SSH进入Compute Engine VM

Question

I'm having a bear of a time getting my Google service account to ssh into our Compute Engine instance from bitbucket pipelines.

Script:
gcloud compute ssh instance1 --zone us-central1-a --quiet --verbosity=info --command="gracefully shutdown processes" && \
gcloud compute scp ~/ instance1:~/ --zone us-central1-a --quiet --recurse --compress && \
gcloud compute ssh instance1 --zone us-central1-a --quiet --verbosity=info --command="start the services"

ERROR: (gcloud.compute.ssh) Could not SSH into the instance.  It is possible that your SSH key has not propagated to the instance yet. Try running this command again.  If you still cannot connect, verify that the firewall and instance are set to accept ssh traffic.
Permission denied (publickey).
lost connection
ERROR: (gcloud.compute.scp) [/usr/bin/scp] exited with return code [1].

I've even tried the old fashioned way of SSHing in without gcloud. I added the public key to the instance using metadata . I can SSH in on my local machine, but with bitbucket pipelines, I get a permission denied error.

script:
        - echo $PRIVATE_SSH_KEY > ./ssh_key
        - chmod 400 ssh_key
        - ssh -t -t -i ssh_key bitbucket-service-account@<IP>

Permission denied (publickey).

What could I possibly be doing wrong?

Answer 1

The role https://www.googleapis.com/auth/compute is needed. Add that role to your VM's service account[1]. Unfortunately is not documented yet on Google Cloud documentation.

[1] https://cloud.google.com/iam/docs/granting-roles-to-service-accounts

Answer 2

Thanks for helping Alessio. I was able to figure it out after digging around.

1. Create bitbucket key pair by using the bitbucket ssh keygen tool
2. Copy the public key from step 1 to the Compute Engine Instance but remember to paste your bitbucket username at the end of the key
3. ssh -i ~/.ssh/config <Bitbucket-Username>@<IP-OF-VM>