Reputation: 1529
Ansible and Git Permission denied (publickey) at Git Clone
I have a playbook where I am trying to clone from a private repo (GIT) to a server.
I have setup ssh forwarding and when I ssh into the server and try to manually clone from the same repo, it successfully works. However, when I use ansible for the to clone the repo to the server, it fails with "Permission Denied Public Key".
This is my playbook deploy.yml:
---
- hosts: webservers
remote_user: root
tasks:
- name: Setup Git repo
git: repo={{ git_repo }}
dest={{ app_dir }}
accept_hostkey=yes
This is how my ansible.cfg looks:
[ssh_args]
ssh_args = -o FowardAgent=yes
I am also able to perform all the other tasks in my playbooks (os operations, installations).
I have tried:
- Specifying sshAgentForwarding flag in
ansible.cfgon the server (ansible.cfg in same dir as playbook) using:ssh_args = -o ForwardingAgent=yes
- used
become: falseto execute the git clone running
ansible -i devops/hosts webservers -a "ssh -T [email protected]"returns:an_ip_address | UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh.", "unreachable": true }
This is the command that I use to run the playbook:
ansible-playbook devops/deploy.yml -i devops/hosts -vvvv
This is the error message I get:
fatal: [162.243.243.13]: FAILED! => {"changed": false, "cmd": "/usr/bin/git ls-remote '' -h refs/heads/HEAD", "failed": true, "invocation": {"module_args": {"accept_hostkey": true, "bare": false, "clone":
true, "depth": null, "dest": "/var/www/aWebsite", "executable": null, "force": false, "key_file": null, "recursive": true, "reference": null, "refspec": null, "remote": "origin", "repo": "[email protected]:aUser/aRepo.git", "ssh_opts": null, "track_submodules": false, "update": true, "verify_commit": false, "version": "HEAD"}, "module_name": "git"}, "msg": "Permission denied (publickey).\r\nfatal: Could not r$ad from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.", "rc": 128, "stderr": "Permission denied (publickey).\r\nfatal: Could not read from remote r$pository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n", "stdout": "", "stdout_lines": []}
Upvotes: 12
Views: 13901
Answers (4)
Reputation: 1529
By reading the documentation for ssh forwarding in ansible. I was able to figure out the solution.
The problem was that my ssh keys were not being forwarded because Ansible does not by default forward your keys, even if you have set up the key forwarding in ~/.ssh/conf (I updated my question with the ansible.cfg that I had before fixing the issue).
The solution was to add transport = ssh to ansible.cfg under [defaults] plus running ansible-playbook from the location where ansible.cfg is located and make sure that the following setting exists in the /etc/ssh/sshd_config of the target box:
AllowAgentForwarding yes
My ansible.cfg now looks like this:
[defaults]
transport = ssh
[ssh_connection]
ssh_args = -o ForwardAgent=yes
Upvotes: 13
Reputation: 21
For public repository : (you can use https)
- name: Git checkout ghq from github
git:
repo: https://github.com/x-motemen/ghq.git
dest: /tmp/ghqt
depth: "1"
For private, you can copy your private ssh key before and attach like this
- name: Git checkout dotfiles repo
git:
repo: "https://github.com/x-motemen/ghq.git"
dest: /tmp/ghqt
version: "develop"
accept_hostkey: yes
key_file: "{{ ssh_key_private_remote_path }}{{ ssh_key_private_filename }}"
More details : https://www.jeffgeerling.com/blog/2018/cloning-private-github-repositories-ansible-on-remote-server-through-ssh
Upvotes: 2
Reputation: 1353
On a localhost-only -scenario ForwardAgent is completely useless, as it would forward the agent only to a remote host.
Even if git works from command-line when run manually, it doesn't work from Ansible no matter what. The only working solution I found was to convert git into command, like:
- command: /usr/bin/git clone git@github
Upvotes: 1
Reputation: 23791
To clone the private github repo over the remote server, I am doing this:
First add the ssh key to your ssh-agent:
eval `ssh-agent -s`
ssh-add ~/.ssh/my-private-key.pem
After that I have modified the ansible.cfg:
[defaults]
transport = ssh
sudo_flags = -HE
[ssh_connection]
ssh_args = -o ForwardAgent=yes
Now you can clone the github private repo even as root user
Normally, I also add these two tasks in my playbook/roles tasks as well:
- name: Tell the host about our servers it might want to ssh to
known_hosts:
path: '/etc/ssh/known_hosts'
name: 'github.com'
key: "{{ lookup('pipe', 'ssh-keyscan -t rsa bitbucket.org') }}"
- name: Upload sudo config for key forwarding as root
lineinfile:
dest: /etc/sudoers.d/ssh_key_forward
line: 'Defaults env_keep+=SSH_AUTH_SOCK'
create: yes
owner: root
group: root
mode: "0440"
state: present
validate: 'visudo -c -f %s'
Strange, it work for me. If the ssh option didn't work for you then you can use the username/password option like this:
- name: Pull the code
git:
repo: "https://{{ bitbucket_login }}:{{ bitbucket_password|urlencode }}@bitbucket.org/path/project.git"
dest: /var/www/myproject
version: master
Hope that might helpful for you and others
Upvotes: 5
Related Questions
- Unable to perform "git clone" on local system using Ansible
- ansible git clone without rights on the remote
- Ansible git clone github permission denied (publickey)
- Ansible: Permission denied (publickey, password)
- Ansible git clone 'Permission Denied' but direct git clone working
- Ansible Playbook: Permission denied (publickey), could not read from remote repository
- Ansible with Github: Permission denied (Publickey)
- Repo will not clone, "Permission Denied", using git module
- Ansible: "Permission denied (publickey)" when using git module
- ansible git clone Permission denied issue