[SOLVED] Ansible tasks for adding the Google Cloud SDK apt repository signing key

Issue

I'm trying to download and install the Google Cloud SDK apt repository's signing key as a set of Ansible tasks. (i.e., Converting the manual process outlined here into Ansible).

This is what I've come up with:

- name: Install the Google Cloud SDK package repository signing key
  ansible.builtin.apt_key:
    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
    keyring: /usr/share/keyrings/cloud.google.gpg

- name: Add Google Cloud SDK package repository source
  ansible.builtin.apt_repository:
    filename: google-cloud-sdk.list
    repo: "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main"
    update_cache: yes

However, my first task fails, with a big GnuPG error. Here's the Ansible failure JSON:

{
  "changed": false,
  "msg": "Unable to extract key from '-'",
  "stderr": "gpg: WARNING: no command supplied.  Trying to guess what you mean ...\ngpg: [don't know]: invalid packet (ctb=0a)\n",
  "stderr_lines": [
    "gpg: WARNING: no command supplied.  Trying to guess what you mean ...",
    "gpg: [don't know]: invalid packet (ctb=0a)"
  ],
  "stdout": "pub:-:2048:1:FEEA9169307EA071:1614614617:1677728521::-:\nuid:::::::::Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub):\nsub:-:2048:1:AA42F36EE8BEEE0E:1614614617::::\npub:-:2048:1:8B57C5C2836F4BEB:1607040606:1670154510::-:\nuid:::::::::gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <[email protected]>:\nsub:-:2048:1:48419E688DD52AC0:1607040606::::\n",
  "stdout_lines": [
    "pub:-:2048:1:FEEA9169307EA071:1614614617:1677728521::-:",
    "uid:::::::::Rapture Automatic Signing Key (cloud-rapture-signing-key-2021-03-01-08_01_09.pub):",
    "sub:-:2048:1:AA42F36EE8BEEE0E:1614614617::::",
    "pub:-:2048:1:8B57C5C2836F4BEB:1607040606:1670154510::-:",
    "uid:::::::::gLinux Rapture Automatic Signing Key (//depot/google3/production/borg/cloud-rapture/keys/cloud-rapture-pubkeys/cloud-rapture-signing-key-2020-12-03-16_08_05.pub) <[email protected]>:",
    "sub:-:2048:1:48419E688DD52AC0:1607040606::::"
  ]
}

If I download the file from Google (with get_url) and add the key that way -- which doesn't seem necessary, from my understanding of the documentation -- it progresses, but then the second task fails (because the key's not found).

I assume I'm using apt_key and apt_repository incorrectly, but I don't know how. Can it be done this way, or would it be easier to just shell out?

Solution

Apparently apt-key is deprecated. I got it to work with:

- name: Download the Google Cloud SDK package repository signing key
  ansible.builtin.get_url:
    url: https://packages.cloud.google.com/apt/doc/apt-key.gpg
    dest: /etc/apt/trusted.gpg.d/gcloud.gpg

- name: Add Google Cloud SDK package repository source
  ansible.builtin.apt_repository:
    filename: google-cloud-sdk.list
    repo: "deb [signed-by=/etc/apt/trusted.gpg.d/gcloud.gpg] https://packages.cloud.google.com/apt cloud-sdk main"
    update_cache: yes

Answered By - Xophmeister