Example for Ansible git-module and ssh agent forwarding

gistfile1.sh

# files/env:
Defaults env_keep += "SSH_AUTH_SOCK"

# tasks/main.yml
- name: ensure sudo keeps SSH_AUTH_SOCK in environment
  copy: src=env
        dest=/etc/sudoers.d/env
        mode=0440
        owner=root
        group=root

- name: clone repo from github
  git: repo=ssh://[email protected]/example/example-repo.git
       dest=/tmp/example-repo

# ~/.ssh/config
Host my-remote-ansible-host
    ForwardAgent yes

# Make sure your key is added to ssh-agent

For anyone stopping by in the future here's an alternative approach

# ansible.cfg
[ssh_connection]
ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s

[sudo_become_plugin]
flags = -H -E -S -n

The ssh_args part forwards the agent to the server, and then the -E flag on sudo_become_plugin guarantees that sudo retains the environment. This is arguably a little less secure than @dimonvike's original solution (which carefully retains only the environment variable we care about), but it works without having to modify the sudoers config, so it's a trade-off!

Does anyone succeeded with ssh-agent forwarding and local connection?

Note that you also have to set "accept_hostkey" for ansible.builtin.git (see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/git_module.html#parameter-accept_hostkey ) for the solution provided by @NorthV

I'm not sure at all why this seems to be necessary

Thanks, the adding a file to /etc/sudoers.d is a much more reassuringly idempotic way compared to editing /etc/sudoers