Home / server / Questions / 758519
Accepted
akostadinov
Asked: 2016-02-20 15:08:17 +0800 CST

cloud-init does not insert instance level ssh keys in gce

  • 772

I am passing (YAML representation)

metadata:
 items: 
 - key: sshKeys
   value: root:ssh-rsa AAAAB... non@nan

when creating a gcloud instance. But I cannot ssh to the instance

$ ssh 139.242.197.104.bc.googleusercontent.com
Host key fingerprint is SHA256:aSSOS1tMiF9h43C6UIJQW0TqXuYVMfRic3Lm7gYRECQ
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Looks like ssh key is not inserted on boot. Instance is standard RHEL 7.2 kvm guest image converted from qcow2 to raw format and uploaded. Any idea if what I'm doing is the correct incantation for specifying ssh keys in GCE and if what I want is supported by cloud-init?

redhat

1 Answers

  1. Best Answer

    Huh, can't get any GCE answer it seems. Figured it out though. First of all current Red Hat Enterprise Linux (v7.2) cloud-init version does not support instance ssh keys (it handles only project level keys). cloud-init trunk though does support them already so hopefully downstream will pick up soon. In the meantime I used the following user-data to emulate this (again YAML representation): metadata:

     items:
 - key: sshKeys
   value: root:ssh-rsa AAAAB... non@nan 
 - key: user-data
   value:|
     #cloud-config
     disable_root: false
     preserve_hostname: true
     runcmd:
     - "curl 'http://metadata.google.internal/computeMetadata/v1/instance/attributes/sshKeys' -H 'Metadata-Flavor: Google' | sed -r -e 's/(^|,)[^\\S]*:/\\1/g' -e 's/,/\\n/g' >> /root/.ssh/authorized_keys"

    Note that google documentation talks only about startup-script metadata key. To my reading even upstream cloud-init does not care about that metadata key. It is looking for the user-data key as shown above.

    Hope this helps.

    • 1