Can't you just do? repo=http://username:[email protected]/git/reponame <http://git.example.com/git/reponame>
On Thu, Feb 18, 2016 at 1:25 PM, eric via Ansible Project < [email protected]> wrote: > I'm using Ansible to clone / update a Git repository that I'm accessing > via HTTP, using username & password. Except that the "git" task really > doesn't help me. > > I can't put those credentials in the URL, because they then end up stashed > in the config of the git repository. That causes problems downstream, > including disclosure of the password to anyone else who has access to the > box, and if the password changes, failures in the Ansible script. > > One work-around I came up with was the following: > > # set up the Git credential cache... > - name: Set up credential cache > command: git config --global credential.helper cache > > # shove credentials into it... > - name: Fetch git repositories > shell: printf 'protocol=http\nhost=git.example.com\nusername={{ username > }}\npassword={{ password }}\n' | git credential approve ; if [ -d > reponame.git ]; then (cd reponame.git && git pull); else git clone http://{{ > username }}@git.example.com/git/reponame reponame.git ; fi > > This works, but doesn't take care of various corner cases that the Ansible > "git" task does take care of. Also potentially puts the password in the log > file. Next approximation is to write the input to git credential approve to a > file, using the "template" task, but that leaves behind a file I have to > delete. So at that point, rather than using credential "cache", use the > "store". > > > So I ended up with this: > > > - name: Install temp file with personal git credentials > template: src="git_creds.txt.j2" dest="{{ ansible_env.HOME > }}/git_creds.txt" mode=0600 > > - name: Approve credentials for Git. > command: /bin/bash -c "git config --global credential.helper store; cat > git_creds.txt | git credential approve" > > > - name: Fetch Git repository > git: dest={{ ansible_env.HOME }}/reponame > repo=http://git.example.com/git/reponame > > - name: remove stored creds > command: /bin/bash -c "cat git_creds.txt | git credential reject ; rm > git_creds.txt" > > > This has a bad failure mode, though - if the script fails, then the > credentials get left behind on the box. > > Is there any better way to do this?!?! > > Should I file a bug to have the "git" task take username and password, and > perform the steps that I'm going through above, but then also able to do > the cleanup if the Git command fails? Or should the "git" task be able to > push the password on stdin? > > Thanks for any help! > > Eric. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/b086e2fc-0978-43e7-ba4f-bc154b428e88%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/b086e2fc-0978-43e7-ba4f-bc154b428e88%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- Matt Martz @sivel sivel.net -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAD8N0v-LmbBMAhNWRy3zPMWugaLSXs%3D423fXiK-y2vsNj9eyiQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
