Reputation: 3560
The following Ansible playbook verifies that a user can access GitHub:
- name: Generate SSH keypair
become: true
user:
name: '{{ system_user }}'
generate_ssh_key: yes
- name: Register public key of user {{ system_user }}
become: true
slurp:
src: '/home/{{ system_user }}/.ssh/id_rsa.pub'
register: pubkey
- name: Verify the user {{ system_user }} can access GitHub
become: true
become_user: '{{ system_user }}'
shell:
cmd: 'ssh [email protected] 3>&2 2>&1 1>&3- | grep -q "successfully authenticated"'
executable: /bin/bash
Currently, this play fails with the following error message:
TASK [Gathering Facts] *******************************************************************************
ok: [example.com]
TASK [Generate SSH keypair] **************************************************************************
ok: [example.com]
TASK [Register public key of user myuser] ************************************************************
ok: [example.com]
TASK [Verify the user myuser can access GitHub] ******************************************************
fatal: [example.com]: FAILED! => {"changed": true, "cmd": "ssh [email protected] 3>&2 2>&1 1>&3-
| grep -q \"successfully authenticated\"", "delta": "0:00:00.682593", "end": "2020-09-24 13:21:52.2524
73", "msg": "non-zero return code", "rc": 1, "start": "2020-09-24 13:21:51.569880", "std
err": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
PLAY RECAP *******************************************************************************************
example.com : ok=3 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
When this tasks fails, I would like to instruct the user to manually add the public key to their GitHub account. Therefore, I would like to customize the above error message to include the necessary instructions and the value of pubkey.content
How can I do that? Something like the following would be great:
- name: Verify the user {{ system_user }} can access GitHub
become: true
become_user: '{{ system_user }}'
shell:
cmd: 'ssh [email protected] 3>&2 2>&1 1>&3- | grep -q "successfully authenticated"'
executable: /bin/bash
custom_error_message: >
Oops, it seems that {{ system_user }} cannot access GitHub!
Please add the following key to your GitHub account:
{{ pubkey.content | b64decode }}
Also, it would be nice if the task wouldn't simply check whether the user can log in, but also whether it has at least read access on a particular repository.
Upvotes: 1
Views: 5070
Reputation: 3560
With many thanks to commenter @Zeitounator, I came up with the following solution:
- name: generate SSH keypair
become: true
user:
name: '{{ system_user }}'
generate_ssh_key: yes
- block:
- name: verify the user {{ system_user }} can access the repository
become: true
become_user: '{{ system_user }}'
shell:
cmd: 'ssh [email protected] 3>&2 2>&1 1>&3- | grep -q "successfully authenticated"'
executable: /bin/bash
rescue:
- name: register public key of user {{ system_user }}
become: true
slurp:
src: '/home/{{ system_user }}/.ssh/id_rsa.pub'
register: pubkey
- fail:
msg: >
Oops, it seems that {{ system_user }} cannot access GitHub!
Please add the following key to your GitHub account:
{{ pubkey.content | b64decode }}
Upvotes: 2