I have been having a look into using oslogin exclusively for my terraform environment setup and have been running into an issue where i can’t get the ssh key for a service account added on the first run.
I have tried via access-token (main example) and even via logging in as the service account.
Background is I want to create a bastion-host with a temporary service account that has ssh access to the host to login and complete the remainder of the install/setup on private hosts.
I think this is a bug but am looking for some sanity checks before i report it.
I get the following error on first run repeat runs work fine for service account login and access_token needs to wait around 5 minutes (i also had issues deleting after the access token had expired)
Error: Error creating SSHPublicKey: googleapi: Error 403: End user credentials must match the user specified in the request.
on oslogin-ssh.tf line 39, in resource “google_os_login_ssh_public_key” “add-os-login-ssh-key”:
39: resource “google_os_login_ssh_public_key” “add-os-login-ssh-key” {
The example below has two sections ones commented out which allows switching between access_token and logging in as service account, i found the service account option to be less prone to issues only had to run it twice.
rename to .tf and create a terraform.tfvars with the following details
project = “”
zone = “us-central1-a”
network = “projects//global/networks/default”
subnet = “projects//regions/us-central1/subnetworks/default”
user_a = “user:@.com”
oslogin-ssh.tf.txt (3.7 KB)