Ansible: cloning a git repository that requires credentials


Categories: Automation

If a git repository requires credentials to clone, and you are still using a username/password (instead of ssh key), it is still possible to have the repository cloned in your automation scripts without be prompted.

You just have to ensure that the username and password are properly URL encoded.  From the command line, the syntax is:

git clone https://<user>:<password>@<gitserver>/<path>/<repo>.git

Where any special characters in the password are URL encoded (e.g. an exclamation mark needs to be “%21”).  I describe this in my article here.  To use the same logic from your Ansible role/playbook, apply the ‘urlencode’ filter.

- git:
    repo: "https://{{git_user|urlencode()}}:{{git_pass|urlencode()}}@github.com/fabianlee/local-kvm-cloudimage.git"
    dest: "/tmp/local-kvm-cloudimage"
    update: yes

- name: remove visibility of credentials
  command:
    cmd: git remote set-url origin https://github.com/fabianlee/local-kvm-cloudimage.git
    chdir: "/tmp/local-kvm-cloudimage"

We set the remote URL the second time so that the username/password are not left embedded in the git database and visible from ‘git remote -v’.

‘git_user’ and ‘git_pass’ are Ansible variables that been defined elsewhere (host vars, group vars, playbook, vars prompt, etc).

Here is a link to the full example playbook-git-withcreds.yml, which shows how these variables could be manually requested when the playbook is run (so they do not have to be stored in files).

---
- hosts: all
  gather_facts: no
  become: no
  vars_prompt:
    - name: git_user
      private: no
    - name: git_password
      private: yes

To silence the manual prompts, you can specify the variables using the ‘extra-vars’ flag.

ansible-playbook playbook-git-withcreds.yml --extra-vars "git_user=myuser git_pass=Myp4ss!"

 

REFERENCES

fabianlee.org, calling git when password contains special character

Graham Hay, ansible templates and urlencode

ansible, git module

NOTES

To use the git module with a proxy, specify in the ‘environment’

- name: checkout git repo with credentials
git:
  repo: https://{{git_username}}:{{git_password|urlencode()}}@github.com/ansible/ansible
environment:
  http_proxy: "http://mysquid:3128"
  https_proxy: "http://mysquid:3128"