How do I use remote machine's SSH keys in ansible git module

git ssh ansible ssh-keys ansible-playbook

30,309

Solution 1

This is how I deploy from Github using a key file set on the remote server. If the keyfile parameter for git doesn't work then something is wrong with your playbook:

- name: Creates .ssh directory for root
  sudo: yes
  file: path=/root/.ssh state=directory

# This public key is set on Github repo Settings under "Deploy keys"
- name: Upload the private key used for Github cloning
  sudo: yes
  copy: src=keys/github dest=/root/.ssh/github

- name: Correct SSH deploy key permissions
  sudo: yes
  file: dest=/root/.ssh/github mode=0600

- name: Deploy site files from Github repository
  sudo: yes
  git:
    repo: [email protected]:miohtama/foobar.git
    dest: /srv/django/foobar
    key_file: /root/.ssh/github
    accept_hostkey: yes
    force: yes

Solution 2

If I understand this correctly, you do - or want to - deploy your private key to the remote machine so you can clone the repo. I believe instead you should use key forwarding. In your .ssh/config set this:

ForwardAgent yes

Or if you want to limit this to Ansible you can define it in your ansible.cfg:

[ssh_connection]
ssh_args= -A

Solution 3

A note in case useful: for anyone using github (and I assume also applies to gitlab, etc.) - ensure that you provide the URL, correctly, in SSH form. If the key file is provided but you give ansible the HTTPS URL, it'll just quietly ignore the key and (potentially) hang waiting for input with a username and password.

30,309

jschank

Updated on July 09, 2021

Comments

jschank almost 3 years
I've been trying to get Ansible to provision a remote machine, and I want the remote machine to be set up with its own keys, and have the ability to clone git repositories from Bitbucket.

The user is set up, has its own id_rsa.pub, and the key has been registered with bitbucket.

But, when I use the Ansible Git module, it looks like the module always tries to use the keys from the machine running the playbook.

How do I get the git module to use the id_rsa.pub from the remote machine?

The relevant task is this:
```
- name: be sure prom-king has an up-to-date clone of its own repository
  git:
    repo: "ssh://[email protected]/prom-king.git"
    dest: /home/promking/prom-king
    accept_hostkey: yes
    clone: yes
    key_file: /home/promking/.ssh/id_rsa.pub
    update: yes
```
The relevant inventory is this
```
# inventory file for use with the vagrant box in the testing directory.
[prom-king]
192.168.168.192 ansible_ssh_host=127.0.0.1 ansible_sudo=true ansible_connection=ssh  ansible_ssh_port=2222 ansible_ssh_user=vagrant ansible_ssh_private_key_file=testing/.vagrant/machines/default/virtualbox/private_key
```
- jschank about 9 years
  
  Forgot to mention...I can get the clone to work with https (but that requires the password in the url, which I want to avoid) and when that clone is retrieved, the files are all owned by root on the remote machine - which is also not desired.
- Zasz about 9 years
  
  Paste in the playbook you are using. It could just be that git when its running on remote machine, is prompting for add bitbucket to known_hosts (yes/no) prompt which it always does when its running for the first time on a new machine
- Zasz about 9 years
  
  How do you know that git uses key from your playbook machine? All ansible modules run on remote machine unless you explicitly run on 127.0.0.1 or mark it as local_action or use delegation.
- jschank about 9 years
  
  @Zasz. I've added relevent code to the question. I know the keys are wrong because I get a key error when the task runs, and these vagrant keys are not on the bitbucket account. Also, when I ssh into the VM, and run the git command, it works fine. I should note that even though this is a vagrant vm, it is not provisioned with ansible. I use the VM to test the playbook before I use it on real servers. The VM uses private networking, so I access it just like any other machine (except by IP) Finally, when I use https, which works. The repo is owned by root.
- C G-K about 8 years
  
  Pretty sure you should be specifying the private key and not the public key in key_file.
- Code-Apprentice almost 3 years
  
  "Forgot to mention..." Feel free to edit you question at any time if you need to add details or clarification.
Suvitruf - Andrei Apanasik over 8 years

It hangs if key has passphrase.
halfer almost 8 years

An approach using sudo now displays [DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and make sure become_method is 'sudo' (default).
halfer almost 8 years

I've found that swapping sudo: yes above with become_user: root works fine for me, and removes the deprecation notice. I've already set up become and become_method at the start of the playbook.
luvejo about 6 years

Thanks! Just in case, I get ride of some nasty warning messages by using ssh_args=-o ForwardAgent=yes instead.
racl101 almost 6 years

Muchas gracias. The accept_hostkey portion wasn't obvious from the error message I kept receiving.
Arrow_Raider over 3 years

Neither of -o ForwardAgent=yes works or -A. -A makes warnings appear