I’m currently working with AWX 6.0.*. I have a Git repo which is private (AWS CodeCommit) and it has SSH authentication configured. AWX is currently able to get the contents of this Git repo with my own credentials (user + private ssh key). However, I’m trying to use a roles/requirements.yml file inside my project to automatically download my roles from other Git repo (also hosted on CodeCommit).
I’ve noticed that ansible-galaxy is failing to properly get the roles because isn’t getting authenticated as expected:
[WARNING]: - myname.os-users was NOT installed successfully: - command /usr/bin/git clone ssh://git-codecommit.us-east-1.amazonaws.com/v1/repos/ansible-role-os-users myname.os-users failed in
directory /home/awx/.ansible/tmp/ansible-local-570Gd10L3/tmpsQ58kU (rc=128)
How can I instruct AWX to use one of my credentials when running ansible-galaxy (git clone)? I definitely cannot mantain a public git repo for my roles, so there must be a way to run ansible-galaxy with proper authentication methods.
Am I missing anything here? I hope someone can give me some advice.
Although I have a pull request open with allows providing the Ansible config parameters for authentication to a Galaxy server, I believe this would not address your use case.
What do the contents of your requirements.yml file look like? Does the entry for your requirement use the “source:” option to specify the server as the “ssh//” address? Have you downloaded requirements from that repo locally, and if you did, what did your commands like like?
I would be interested to try to replicate your scenario. It might be really simple or really complicated to make it work. I’m not sure yet.
Although I have a pull request open with allows providing the Ansible config parameters for authentication to a Galaxy server, I believe this would not address your use case.
What do the contents of your requirements.yml file look like? Does the entry for your requirement use the “source:” option to specify the server as the “ssh//” address? Have you downloaded requirements from that repo locally, and if you did, what did your commands like like?
Here are the contents of my requirements.yml file:
When I run the ansible-galaxy command inside the awx_task container, I can’t get my role because of lacking authentication methods (my private key is not present there), which is expected. But if I save my private key in ~/.ssh appropriately, I am able to get my role. Obviously, I cannot save my private key inside my awx_task container, so I would expect that AWX reuses the same SCM credentials for synchronizing roles on every project refresh.
I would be interested to try to replicate your scenario. It might be really simple or really complicated to make it work. I’m not sure yet.
I wonder if you maybe had time to replicate this scenario. I don’t know how to make AWX automatically download my role requirements from my private Git repo which uses SSH authentication.
If anyone had ever any similar scenario, please let me know how you deal with it
To have AWX pull from a private git repo, have src point to the git repo in the roles/requirements.yml file. Then provide the job with an scm credential that has an ssh private key (no password).
Thank you so much. Currently, on AWX 6.0.0, the roles/requirements.yml is called on every project update. So I cannot provide any other credentials different than the Source Control ones which is currently linked to my project.
So far, I’ve had to change my roles/requirements.yml to use HTTPS instead of SSH for my Git repository URLs as a way to solve this issue.
On the next days, I’ll upgrade to AWX 7.0.0 which calles requirements.yml on every job template run, so I can add extra credentials as suggested by you
