GCP bootstrapping failing with validation error 'public-key is invalid'
9138
Created On 07/12/20 05:35 AM - Last Modified 07/21/20 02:46 AM
Symptom
- VM-Series bootstrap failing on GCP due to validation error and commit fails.
- Deployment is done using the Terraform script.
- In bootstrap.xml, this public-key is not configured anywhere.
- Validation error related to the error: 'public-key is invalid'
Commit Error:
Warnings: Details:Validation Error: mgt-config -> users -> admin -> public-key 'ZWNkc2Etc2hhMi1uaXN0cDI1NiBBQUFBRTJW...' is invalid. Invalid public key format mgt-config -> users -> admin -> public-key is invalid Commit failed
mp/ms.log
Error: pan_schema_verify_node_constraints(pan_schema_types.c:472): 'ZWNkc2Etc2hhMi1uaXN0cDI1NiBBQUFBRTJWalpIT...' Error: _pan_schema_verify_node(pan_schema_obj.c:6399): is invalid , node: public-key near line 12 Error: pan_cfg_verify_ex(pan_cfg_commit_handler.c:2324): invalid configuration. Schema verification failed.
Environment
- Platform: VM-Series on GCP
- PAN-OS / Plugin Version: Any
- Deployment: New using Terraform
Cause
Terraform script used to deploy VM-Series on GCP is configured to use public-key authentication under 'resource "google_compute_instance" "firewall" ' block in main.tf file:
// Adding METADATA Key Value pairs to VM-Series metadata { // init-config.txt will perform interface swap of VM-series on bootstrap vmseries-bootstrap-gce-storagebucket = "${var.fw-bootstrap-bucket}" serial-port-enable = true sshKeys = "${var.pan-public-key}" }
Resolution
- Change main.tf terraform script used to deploy firewalls.
- Replace the sshKeys with ssh-keys in the VM-Series metadata field under 'resource "google_compute_instance" "firewall" '.
- The script should be in a similar format as below:
// Adding METADATA Key Value pairs to VM-Series metadata { // init-config.txt will perform interface swap of VM-series on bootstrap vmseries-bootstrap-gce-storagebucket = "${var.fw-bootstrap-bucket}" serial-port-enable = true ssh-keys = "${var.pan-public-key}" }