-
-
Save arbabnazar/6b9909cfba52ac066512ba5d1c1a1080 to your computer and use it in GitHub Desktop.
| # files/env: | |
| Defaults env_keep += "SSH_AUTH_SOCK" | |
| # tasks/main.yml | |
| - name: ensure sudo keeps SSH_AUTH_SOCK in environment | |
| copy: src=env | |
| dest=/etc/sudoers.d/env | |
| mode=0440 | |
| owner=root | |
| group=root | |
| - name: clone repo from github | |
| git: repo=ssh://[email protected]/example/example-repo.git | |
| dest=/tmp/example-repo | |
| # ~/.ssh/config | |
| Host my-remote-ansible-host | |
| ForwardAgent yes | |
| # Make sure your key is added to ssh-agent |
adding this to config makes it work for all hosts:
[ssh_connection]
ssh_args = -oForwardAgent=yes
@dimovnike thanks for that. even with my local .ssh/config ForwardAgent yes I could not get remote checkouts working via ansible and this resolved that.
I just want to leave a note for anyone else like me stumbling around the internet trying to figure this out -- @dimovnike's solution works.
ansible ssh forwarding git clone
ansible become:no git clone
ansible git clone forwardagent ssh key forwarding
ansible clone private repository remote server
ansible 2.9.6
Just add:
# /etc/ansible/ansible.cfg file
[ssh_connection]
ssh_args = -o ForwardAgent=yes
And it works:
# playbook.yml
- hosts: webservers
tasks:
- name: Git checkout application
git:
repo: [email protected]:user/examplereponame.git
dest: /var/www/test.host
For anyone stopping by in the future here's an alternative approach
# ansible.cfg
[ssh_connection]
ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s
[sudo_become_plugin]
flags = -H -E -S -n
The ssh_args part forwards the agent to the server, and then the -E flag on sudo_become_plugin guarantees that sudo retains the environment. This is arguably a little less secure than @dimonvike's original solution (which carefully retains only the environment variable we care about), but it works without having to modify the sudoers config, so it's a trade-off!
Does anyone succeeded with ssh-agent forwarding and local connection?
Note that you also have to set "accept_hostkey" for ansible.builtin.git (see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/git_module.html#parameter-accept_hostkey ) for the solution provided by @NorthV
I'm not sure at all why this seems to be necessary
Thanks, the adding a file to /etc/sudoers.d is a much more reassuringly idempotic way compared to editing /etc/sudoers
Is there a way to do this without adding servers to ~/.ssh/config ?