Adding SSH key to oslogin Service account errors on first try

I have been having a look into using oslogin exclusively for my terraform environment setup and have been running into an issue where i can’t get the ssh key for a service account added on the first run.

I have tried via access-token (main example) and even via logging in as the service account.

Background is I want to create a bastion-host with a temporary service account that has ssh access to the host to login and complete the remainder of the install/setup on private hosts.

I think this is a bug but am looking for some sanity checks before i report it.

I get the following error on first run repeat runs work fine for service account login and access_token needs to wait around 5 minutes (i also had issues deleting after the access token had expired)

Error: Error creating SSHPublicKey: googleapi: Error 403: End user credentials must match the user specified in the request.

on line 39, in resource “google_os_login_ssh_public_key” “add-os-login-ssh-key”:
39: resource “google_os_login_ssh_public_key” “add-os-login-ssh-key” {

The example below has two sections ones commented out which allows switching between access_token and logging in as service account, i found the service account option to be less prone to issues only had to run it twice.

rename to .tf and create a terraform.tfvars with the following details

project = “”
zone = “us-central1-a”
network = “projects//global/networks/default”
subnet = “projects//regions/us-central1/subnetworks/default”
user_a = “” (3.7 KB)