Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Clone a private git repository with Ansible (using password prompt)
Wednesday - Dec 2nd 2015 - by - (4 comments)

I'm currently setting up an automated application installation with Ansible. However parts of the installation require to clone/pull code from a private git repository.

A possibility would be to use private key authentication, however we all know that (as of this writing in December 2015) it is not possible to use the same public key on multiple git repositories in github.

So I found a way to let Ansible clone the repository with my own user, yet without hard-coding it of course.

At the begin of the playbook yaml, I ask for the credentials:

---
- name: ANSIBLE - Shop Installation
  hosts: '{{ target }}'

  vars_prompt:
    - name: "githubuser"
      prompt: "Enter your github username"
      private: no
    - name: "githubpassword"
      prompt: "Enter your github password"
      private: yes

[...]

Later on in the task where the git repository should be cloned, I reference the now existing variables githubuser and githubpassword:

  - name: Get updated files from git repository
    git: repo=https://{{ githubuser }}:{{ githubpassword }}@github.com/Napsty/privrepo.git dest=/tmp/github

When running the playbook, the prompt  request arrives and then the repository is successfully cloned:

$ ansible-playbook playbooks/shop/repotest.yaml --extra-vars "target=server.example.com env=test"
Enter your github username: Napsty
Enter your github password:

PLAY [ANSIBLE - Shop Installation] ***********************************************
[...]
TASK: [Get updated files from git repository] *******************************
changed: [server.example.com]

Success can be verified on the server:

root@server.example.com:~# ls /tmp/github/
README.md  shop

 

Add a comment

Show form to leave a comment

Comments (newest first):

Nico Kadel-Garcia from US wrote on Jul 10th, 2018:
It's also possible to manipulate the ssh_opts setting to use a different deploy key for a specific git repository, and avoid the key conflicts

ck from Switzerland wrote on Jan 16th, 2018:
That's a good point, marcolussetti. In my case I actually used Bitbucket as repository source and there are no files left which would show the password. I didn't try it with a Github repo (although in the example above I used the Github.com address for my repo).
If a file contains the git password, it could be immediately removed right after the Ansible git task, as you suggest.

marcolussetti wrote on Jan 15th, 2018:
This is cool, but it does save the user's password in the git remote. So one should probably consider either removing the git remote at the end of this or use SSH key forwarding instead.

Viktoria wrote on Jun 16th, 2016:
Thank you very much, your idea is really helpful!


Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

7036 Days
until Death of Computers
Why?