I’m using Ansible to clone / update a Git repository that I’m accessing via HTTP, using username & password. Except that the “git” task really doesn’t help me.
I can’t put those credentials in the URL, because they then end up stashed in the config of the git repository. That causes problems downstream, including disclosure of the password to anyone else who has access to the box, and if the password changes, failures in the Ansible script.
One work-around I came up with was the following:
# set up the Git credential cache...
- name: Set up credential cache
command: git config --global credential.helper cache
# shove credentials into it...
- name: Fetch git repositories
shell: printf 'protocol=http\nhost=git.example.com\nusername={{ username }}\npassword={{ password }}\n' | git credential approve ; if [ -d reponame.git ]; then (cd reponame.git && git pull); else git clone http://{{ username }}@git.example.com/git/reponame reponame.git ; fi
This works, but doesn't take care of various corner cases that the Ansible "git" task does take care of. Also potentially puts the password in the log file. Next approximation is to write the input to git credential approve to a file, using the "template" task, but that leaves behind a file I have to delete. So at that point, rather than using credential "cache", use the "store".
So I ended up with this: