Ansible git clone 'Permission Denied' but direct git clone working

9.2k views Asked by At

I got a troubling issue with Ansible. I setup a git cloning on my environment using ssh key of my current host:

- name: Add user Public Key
    copy: 
     src: "/Users/alexgrs/.ssh/id_rsa.pub"
     dest: "/home/vagrant/.ssh/id_rsa.pub"
     mode: 0644

- name: Add user Private Key
    copy: 
     src: "/Users/alexgrs/.ssh/id_rsa"
     dest: "/home/vagrant/.ssh/id_rsa"
     mode: 0600

- name: Clone Repository
  git: 
   repo: repo.git
   dest: /home/vagrant/workspace/
   update: true
   accept_hostkey: true
   key_file: "/home/vagrant/.ssh/id_rsa.pub"

If I vagrant ssh on Vagrant and execute git pull repoit works. But when I do a vagrant provision I got the following error message:

stderr: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.

I'm pretty sure my publickey is not used by vangrant provision but I'm not able to detect why.

Did you already see this kind of issue ?

Thank you.

EDIT: It seems that ansible is not doing a git clone but is trying the following command:

/usr/bin/git ls-remote ssh://repo.git -h refs/heads/HEAD

I tried it in my vagrant box and I have the same permission denied issue.

3

There are 3 answers

1
bkan On

In the key_file option, you are using the public key when you should be using the private key

Source: http://docs.ansible.com/git_module.html

1
udondan On

Copying private keys IMHO never is a good idea. A better option would be to enable ssh agent forwarding.

You can do this globally in your local .ssh/config:

ForwardAgent yes

Or in your ansible.cfg:

[ssh_connection]
ssh_args= -A

In any case though you need to make sure the host/vm accepts agent forwarding. In the remote /etc/ssh/sshd_config this has to be defined:

AllowAgentForwarding yes
0
AlessMascherpa On

CheckOut this GitHub issue.

It explains that repo.git ssh clone url should either be (URL syntax):

ssh://[email protected]/my_user/my_repo.git

or (SCP syntax):

[email protected]:my_user/my_repo.git

Check your key_file too.