Skip to content

Pipelines failing with "unable to fetch encrypted password from windows credentials agent"

Steps to reproduce

  • Create a VM from windows server 2022
  • Install docker, git and gitlab-runner
  • Enable SSH, as explained in https://cloud.google.com/compute/docs/connect/windows-ssh#create_vm
  • Enable WinRM via the windows-startup-script-ps1
  • Create an image based on that VM
  • Create an instance group and use that image as the template
  • Ensure TCP ports 22, 5985 and 5986 are allowed in the firewall
  • Add the fleeting config to a Linux based runner manager: 
    [[runners]]
name = "demo-windows-docker-runner"
url = {REDACTED}
id = 1545
token = {REDACTED}
shell = "powershell"
environment = ["FF_USE_POWERSHELL_PATH_RESOLVER=1"]
executor = "docker-autoscaler"

[runners.docker]
  image = "mcr.microsoft.com/windows-cssc/python:3.11-server-ltsc2022"

[runners.autoscaler]
  plugin = "googlecloud:0.2.0"
  capacity_per_instance = 1
  max_use_count = 1
  max_instances = 5

  [runners.autoscaler.plugin_config]
    name = {REDACTED}
    project = {REDACTED}
    zone = "us-west1-b"

  [runners.autoscaler.connector_config]
    os = "windows"
    timeout = "45m0s"
    username = "gitlabci"
    password = {PASSWORD}
    use_static_credentials = true

That user and password were added to the windows-startup-script-ps1 with net user gitlab-ci {PASSWORD} /add.

Expected result

A new Windows runner should appear when a Gitlab CI is executed and it should run the requested job.

Actual result

When executing a Windows Gitlab CI pipeline, in GCP a new Windows runner is correctly created. However in the logs I get:

ERROR: connection preparation failed err=rpc error: code = Unknown desc = unable to fetch encrypted password from windows credentials agent

And then GCP destroys the runner and retries with another one, which will still end up with the same result.

Unsuccessful workarounds

  • I tried to copy the credentials file to the runner manager and use the credentials_file = /path/to/credentials.json
  • I tried to use the instance executor and instance + protocol = "ssh"
  • I tried to remove the username, password and the use_static_credentials = true

I'm basically stuck there, so any pointer on how to potentially solve this would be greatly appreciated.

/cc @ajwalker (it seems you are the one that wrote the connector_winrm.go part)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information