ERROR: (gcloud.compute.start-iap-tunnel) Error while connecting [4033: 'not authorized']

[douglashsu]

TL;DR

Unable to log in a designated VM instance in GCP through the Action Runner.

Expected behavior

No response

Observed behavior

Command :
gcloud compute ssh hsu_douglas@stage-test-cd --project=xxxxxxxx --zone asia-east1-b --ssh-key-file /home/douglas/.ssh/stage_test_cd --quiet --tunnel-through-iap --command='echo Hello world'

works fine on a local Linux PC with the same private key as secrets.GCP_SSH_PRIVATE_KEY in Actions setting .

Action YAML

name: Test for Auto Deploy via SSH

on:
  workflow_dispatch:
    inputs:
      Manual:
        description: 'Manually Trigger'
        default: 'Hello World'
        required: true

env:
  PROJECT_ID: ${{ secrets.PROJECT_ID }}
  SERVICE_NAME: xxxxxxxxxxxx

jobs:
  SSH-Compute:
    name: Checkout, Login via SSH, and Deploy
    runs-on: ubuntu-latest

    steps:
    - uses: 'actions/checkout@v3'

    - id: auth
      uses: google-github-actions/auth@v1
      with:
        credentials_json: ${{ secrets.SA_KEY }}

    - name: SSH to Google Cloud Platform compute instances
      uses: google-github-actions/[email protected]
      with:
        project_id: 'xxxxxxxxx'
        instance_name: 'stage-test-cd'
        zone: 'asia-east1-b'
        user: 'hsu_douglas'
        ssh_private_key: '${{ secrets.GCP_SSH_PRIVATE_KEY }}'
        command: 'echo Hello world'

Log output

Run google-github-actions/[email protected]
  
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/158acaea-34bf-4661-88f7-02892b1cd53c -f /home/runner/work/_temp/4fd56546-15b7-4d42-a023-568f55ae071d
Running: gcloud compute ssh hsu_douglas@stage-test-cd --zone asia-east1-b --ssh-key-file /tmp/2e063883321c415fd5a9a28e/google_compute_engine --quiet --tunnel-through-iap --project *** --command echo Hello world

Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Warning: The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/
Error: google-github-actions/ssh-compute failed with: failed to execute gcloud command `gcloud compute ssh hsu_douglas@stage-test-cd --zone asia-east1-b --ssh-key-file /tmp/2e063883321c415fd5a9a28e/google_compute_engine --quiet --tunnel-through-iap --project *** --command echo Hello world`: WARNING: 

To increase the performance of the tunnel, consider installing NumPy. For instructions,
please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the_tcp_upload_bandwidth

ERROR: (gcloud.compute.start-iap-tunnel) Error while connecting [4033: 'not authorized'].
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

Recommendation: To check for possible causes of SSH connectivity issues and get
recommendations, rerun the ssh command with the --troubleshoot option.

gcloud compute ssh stage-test-cd --project=*** --zone=asia-east1-b --ssh-key-file=/tmp/2e063883321c415fd5a9a28e/google_compute_engine --troubleshoot

Or, to investigate an IAP tunneling issue:

gcloud compute ssh stage-test-cd --project=*** --zone=asia-east1-b --ssh-key-file=/tmp/2e063883321c415fd5a9a28e/google_compute_engine --troubleshoot --tunnel-through-iap

ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

Additional information

No response

[YuriyL-Git]

The same issue

[YuriyL-Git]

Check if service account that You use have these permittions:
Compute Instance Admin (beta)
Compute Storage Admin
IAP-secured Tunnel User
Service Account User

Also this servise account should be added to VM that You are trying to access. This can be done in VM mashine configuration.

Also check if You properly set ssh for VM mashine.