"Ansible (although it may just be git itself, behind the scenes) appears to freeze the username/password combination into the repo's .git/config file"
Old thread, but it appears that this is a git feature, not an ansible thing. https://github.com/blog/1270-easier-builds-and-deployments-using-git-over-https-and-oauth See the notes at the bottom for pulling without storing auth-token on disk. Possibly a better way would be using hashicorp's vault project. On Wednesday, September 17, 2014 at 11:55:04 AM UTC-5, JCM wrote: > > Hi all - > > I've hit a blocker when using the git module in combination with > Github's token method: > > https://developer.github.com/guides/managing-deploy-keys/#https-cloning-with-oauth-tokens. > > > This email also outlines an additional problem I've noticed. I'd be > really grateful for any suggestions of what I'm doing wrong or if > there really are problems. > > The place I'm trying to get to is this: > > * Call Github API to create new limited-scope token > * Use Ansible to clone (*or* update, depending on the git module's > idea of if it can update in place) using an HTTPS repo URI with this > new token, passed in as an extra-var/envvar. > * Revoke token via the API > > # Problem 1: > The only way I can see to use a passworded HTTPS URI with the git > module and github is as per > https://help.github.com/articles/git-automation-with-oauth-tokens. > > i.e. "repo=https://<token>:[email protected]/path/to/remote/repo.git". > > Unfortunately, Ansible (although it may just be git itself, behind the > scenes) appears to freeze the username/password combination into the > repo's .git/config file, as part of the URI. > > This means that, after the first deployment, the next > git-update/-pull/-fetch operation fails due to the initial token now > being revoked. > > # Problem 2: > The git module must know that the URI contains a username and > password, because it blanks out (*only*) the password in its logged > output. However, using this with github method outlined above means > that it blanks out the fixed string "x-oauth-basic" and not the token. > Of course this is a result of Github's implementation choices, but > they're a big enough target for use by the git module that I believe > Ansible should deal with their choice. > > Hopefully someone can tell me where I'm going wrong. No, using SSH > keys isn't an option! > > Many thanks, > Jonathan > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d4ee2d03-a9b1-4cc4-95a5-0f71433eb410%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
