How do I pass username and password while using Ansible Git module?

Question

While doing clone, push or pull of a private git repository hosted internally (e.g. on a GitLab instance) with Ansible\'s Git module, how do I specify username and password

Answer 1

Improving on Arbab Nazar's answer, you can avoid exposing your password in the terminal by prompting for the credentials.

playbook.yml

--- 
- name: ANSIBLE - Shop Installation 
  hosts: '{{ target }}' 

  vars_prompt: 
    - name: "githubuser" 
      prompt: "Enter your github username" 
      private: no 
    - name: "githubpassword" 
      prompt: "Enter your github password" 
      private: yes 

  [...] 

And in the task reference the variables.

task.yml

- name: Get updated files from git repository 
  git:
    repo=https://{{ githubuser | urlencode }}:{{ githubpassword | urlencode }}@github.com/privrepo.git
    dest=/tmp

This will save the password as clear text in .git/config as url of remote "origin". The following task can be used to remove it.

- name: Ensure remote URL does not contain credentials
  git_config:
    name: remote.origin.url
    value: https://github.com/privrepo.git
    scope: local
    repo: /tmp

---

Taken from: Clone a private git repository with Ansible (using password prompt)

Answer 2

All of the answers here made it a bit too easy to leak the username/password into a log or error message, which seemed undesirable even if in my case it's a read-only deployment token.

Here's an alternative:

    - name: Configure Git credential storage
      command: "git config --global credential.helper store"
    - name: Populate the Git credential store
      template:
        src: files/git_credentials.j2
        dest: /home/appuser/.git-credentials
        owner: appuser
        group: appuser
        mode: u=rw,g=,o=
      no_log: true

The template looks like this:

https://{{ gitlab_username|urlencode }}:{{ gitlab_password|urlencode }}@gitlab.example.org

Answer 3

You can use something like this:

---
- hosts: all 
  gather_facts: no
  become: yes
  tasks:
    - name: install git package
      apt:
        name: git

    - name: Get updated files from git repository 
      git: 
        repo: "https://{{ githubuser | urlencode }}:{{ githubpassword | urlencode }}@github.com/privrepo.git"
        dest: /tmp

Note: {{ githubpassword | urlencode }} is used here, if your password also contains special characters @,#,$ etc

Then execute the following playbook:

ansible-playbook -i hosts github.yml -e "githubuser=arbabname" -e "githubpassword=xxxxxxx"

Note: Make sure you put the credentials in ansible vaults or pass it secure way

Answer 4

While Arbab's and F. Santiago's answers are correct, there is an important caveat: With https://{{ githubuser | urlencode }}:{{ githubpassword | urlencode }}@github.com/privrepo.git as the checkout URL, Git will store your password in plaintext inside the .git/ folder. This has been mentioned in a comment, but I think it deserves more attention. You might want to do away the Git module and use raw Git, e.g.:

vars_prompt: 
  - name: "githubuser" 
    prompt: "Enter your github username" 
    private: no 
  - name: "githubpassword" 
    prompt: "Enter your github password" 
    private: yes
tasks:
  - name: Git clone
    expect:
      command: git clone https://github.com/privrepo.git /tmp
      responses:
        Username: "{{ githubuser }}" # Username is a regex
        Password: "{{ githubpassword }}" # Password is a regex
    no_log: true