On Feb 20, 2016 8:35 AM, "eric via Ansible Project" < [email protected]> wrote: > > I'm using Ansible to clone / update a Git repository that I'm accessing via HTTP, using username & password. Except that the "git" task really doesn't help me. > > I can't put those credentials in the URL, because they then end up stashed in the config of the git repository. That causes problems downstream, including disclosure of the password to anyone else who has access to the box, and if the password changes, failures in the Ansible script. > > One work-around I came up with was the following: > > # set up the Git credential cache... > - name: Set up credential cache > command: git config --global credential.helper cache > > # shove credentials into it... > - name: Fetch git repositories > shell: printf 'protocol=http\nhost=git.example.com\nusername={{ username }}\npassword={{ password }}\n' | git credential approve ; if [ -d reponame.git ]; then (cd reponame.git && git pull); else git clone http://{{ username }}@git.example.com/git/reponame reponame.git ; fi > > This works, but doesn't take care of various corner cases that the Ansible "git" task does take care of. Also potentially puts the password in the log file. Next approximation is to write the input to git credential approve to a file, using the "template" task, but that leaves behind a file I have to delete. So at that point, rather than using credential "cache", use the "store". > > > So I ended up with this: > > > - name: Install temp file with personal git credentials > template: src="git_creds.txt.j2" dest="{{ ansible_env.HOME }}/git_creds.txt" mode=0600 > > - name: Approve credentials for Git. > command: /bin/bash -c "git config --global credential.helper store; cat git_creds.txt | git credential approve" > > - name: Fetch Git repository > git: dest={{ ansible_env.HOME }}/reponame repo= http://git.example.com/git/reponame > > - name: remove stored creds > command: /bin/bash -c "cat git_creds.txt | git credential reject ; rm git_creds.txt" > > > This has a bad failure mode, though - if the script fails, then the credentials get left behind on the box. > > Is there any better way to do this?!?! > > Should I file a bug to have the "git" task take username and password, and perform the steps that I'm going through above, but then also able to do the cleanup if the Git command fails? Or should the "git" task be able to push the password on stdin?
This wouldn't be a bug but it might be a feature. I'm not sure if we'd want to do all the credential cache stuff inside of the git module or might like to split that out into a separate module. If the password can be given to git on stdin in your case, that does seem like a way to add it to the current git module. A pr for that would be welcome. -Toshio -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAG9juErfbyGxtnD%3DGZuJhb19%3DNwPuiqcs464tuJ%2BSNoGkLMcqQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
