Ansible task - clone private git without SSH forwarding

Question

I am trying to create an Ansible playbook which would be run from our dev team computers and from CI/CD servers.

One of the tasks in the playbook is to get the source code of our project from a private git repository. Because the playbook has to run from CI/CD servers we can not use SSH forwarding.

What i came up with is to copy necessary SSH private key to remote host machine and then using the key clone the code from the private git repository.

However when trying this, the cloning task hangs. When trying to launch the command manually it asks for a passphrase for the SSH private key. SSH key uses no passphrase (blank).

Could anyone share their solution of this (probably very common) problem?

In case anyone needs, this is my current playbook:

- name: Create SSH directory
  file: path=/root/.ssh state=directory

- name: Copy SHH key for Git access
  copy:
    content: "{{ git_ssh_key }}"
    dest: /root/.ssh/id_rsa
    owner: root
    group: root
    mode: 0600

# Also tried this, but it also hangs
#- name: Start SSH agent and add SSH key
#  shell: eval `ssh-agent -s` && ssh-add

- name: Get new source from GIT
  git: 
    key_file: /root/.ssh/id_rsa
    repo: "[email protected]:user/repo.git"
    dest: "{{ staging_dir }}"
    depth: 1
    accept_hostkey: yes
    clone: yes

I am using ansible 2.3.1.0, python version = 2.7.12

Answer 1

Here are steps to make it work (tested with Ansible 2.3.1 and Python 2.7.10 on MacOS, Ubuntu LTS):

1. Generate new SSH key pair without passphrase ssh-keygen -f my_ssh_key -N ''.

2. Add my_ssh_key.pub to your repository server user profile

   • GitLab - https://gitlab.com/profile/keys
   • Github - https://github.com/settings/keys

3. Test with the following playbook:

_

---
- hosts: localhost
  gather_facts: no
  vars:
    git_ssh_public_key: "Your public ssh key"
    git_ssh_key: |
              -----BEGIN RSA PRIVATE KEY-----
              .... actual key here ....
              -----END RSA PRIVATE KEY-----
  tasks:
  - name: Copy SSH public key file
    copy: 
      content: "{{ git_ssh_public_key }}"
      dest: /root/.ssh/id_rsa.pub
      mode: 0644

  - name: Copy SSH private key file
    copy: 
      content: "{{ git_ssh_key }}"
      #src: id_rsa
      dest: /root/.ssh/id_rsa
      mode: 0600

  - name: Get new source from GIT
    git: 
      repo: "[email protected]:user/repo.git"
      dest: "/var/www/"
      depth: 1
      accept_hostkey: yes
      clone: yes

IMPORTANT SECURITY NOTICES

If you want to use this example in real world, please do not save your private key in plaintext - use Ansible Vault.

You should also NOT use root as your ansible user. It would be more secure to create new user without sudo permissions.