Skip to content

Instantly share code, notes, and snippets.

@arbabnazar

arbabnazar/gist:6b9909cfba52ac066512ba5d1c1a1080

Forked from mpolden/gist:8559017
Created July 9, 2016 09:20
Show Gist options
  • Star 7 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save arbabnazar/6b9909cfba52ac066512ba5d1c1a1080 to your computer and use it in GitHub Desktop.
Save arbabnazar/6b9909cfba52ac066512ba5d1c1a1080 to your computer and use it in GitHub Desktop.
Download ZIP
Example for Ansible git-module and ssh agent forwarding
Raw
gistfile1.sh
# files/env:
Defaults env_keep += "SSH_AUTH_SOCK"
# tasks/main.yml
- name: ensure sudo keeps SSH_AUTH_SOCK in environment
copy: src=env
dest=/etc/sudoers.d/env
mode=0440
owner=root
group=root
- name: clone repo from github
git: repo=ssh://git@github.com/example/example-repo.git
dest=/tmp/example-repo
# ~/.ssh/config
Host my-remote-ansible-host
ForwardAgent yes
# Make sure your key is added to ssh-agent
@dimovnike
Copy link

Is there a way to do this without adding servers to ~/.ssh/config ?

@dimovnike
Copy link

adding this to config makes it work for all hosts:

[ssh_connection]
ssh_args = -oForwardAgent=yes

@kevinlong206
Copy link

@dimovnike thanks for that. even with my local .ssh/config ForwardAgent yes I could not get remote checkouts working via ansible and this resolved that.

@robyurkowski
Copy link

I just want to leave a note for anyone else like me stumbling around the internet trying to figure this out -- @dimovnike's solution works.

Some search terms to hopefully help others find this... 
ansible ssh forwarding git clone
ansible become:no git clone
ansible git clone forwardagent ssh key forwarding
ansible clone private repository remote server

@NorthV
Copy link

NorthV commented May 13, 2020

ansible 2.9.6

Just add:

# /etc/ansible/ansible.cfg file
[ssh_connection]
ssh_args = -o ForwardAgent=yes

And it works:

# playbook.yml
- hosts: webservers
  tasks:
    - name: Git checkout application
      git:
        repo: git@gitlab.com:user/examplereponame.git
        dest: /var/www/test.host

@julianandrews
Copy link

For anyone stopping by in the future here's an alternative approach

# ansible.cfg
[ssh_connection]
ssh_args = -o ForwardAgent=yes -o ControlMaster=auto -o ControlPersist=60s

[sudo_become_plugin]
flags = -H -E -S -n

The ssh_args part forwards the agent to the server, and then the -E flag on sudo_become_plugin guarantees that sudo retains the environment. This is arguably a little less secure than @dimonvike's original solution (which carefully retains only the environment variable we care about), but it works without having to modify the sudoers config, so it's a trade-off!

@mkot02
Copy link

mkot02 commented Jul 22, 2020

Does anyone succeeded with ssh-agent forwarding and local connection?

@saintcore
Copy link

Note that you also have to set "accept_hostkey" for ansible.builtin.git (see https://docs.ansible.com/ansible/latest/collections/ansible/builtin/git_module.html#parameter-accept_hostkey ) for the solution provided by @NorthV

I'm not sure at all why this seems to be necessary

@dantagg
Copy link

dantagg commented May 16, 2022

Thanks, the adding a file to /etc/sudoers.d is a much more reassuringly idempotic way compared to editing /etc/sudoers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment