Ansible bitbucket clone repo provisioning ssh error

Question

I have previously posted this question but the answer there no longer works.

In summary, When provisioning my vagrant box using Ansible, I get thrown a mysterious error when trying to clone my bitbucket private repo using ssh. The error states "Permission denied (publickey)".

Yet if I vagrant ssh and then run the 'git clone' command, the private repo is successfully cloned. This indicates that the ssh forward agent is indeed working and the vagrant box can access my private key associated with the bitbucket repo.

I have been struggling for two days on this issue and am loosing my mind! Please, somebody help me!!!

Vagrantfile:

Vagrant.configure("2") do |config|
  config.vm.box = "ubuntu/xenial64"
  config.vm.network "private_network", ip: "192.168.33.14"
  config.ssh.forward_agent = true

  config.vm.provider "virtualbox" do |vb|
    vb.memory = "1824"
  end

  # Only contains ansible dependencies
  config.vm.provision "shell",
    inline: "sudo apt-get install python-minimal -y"

end

My playbook.yml is as follows:

---

- hosts: all
  become: true

  tasks:
    - name: create /var/www/ directory
      file: dest=/var/www/ state=directory owner=ubuntu group=www-data mode=0755

    - name: Add the user 'ubuntu' to group 'www-data'
      user:
        name: ubuntu
        shell: /bin/bash
        groups: www-data
        append: yes

    - name: Clone [My-Repo] bitbucket repo
      become: false
      git: 
        repo: git@bitbucket.org:[Username]/[My-Repo].com.git
        dest: /var/www/poo
        version: master
        accept_hostkey: yes

Error Message: ansible-playbook playbook.yml

fatal: [192.168.33.14]: FAILED! => {"changed": false, "cmd": "/usr/bin/git clone --origin origin '' /var/www/poo", "failed": true, "msg": "Cloning into '/var/www/poo'...\nPermission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.", "rc": 128, "stderr": "Cloning into '/var/www/poo'...\nPermission denied (publickey).\r\nfatal: Could not read from remote repository.\n\nPlease make sure you have the correct access rights\nand the repository exists.\n", "stderr_lines": ["Cloning into '/var/www/poo'...", "Permission denied (publickey).", "fatal: Could not read from remote repository.", "", "Please make sure you have the correct access rights", "and the repository exists."], "stdout": "", "stdout_lines": []}

Additional Info:

• ssh-add -l on my machine does contain the associated bitbucket repo key.
• ssh-add -l inside the vagrant box does also contain the associated bitbucket repo key (through ssh-forwarding).

Yet cloning works if done manually inside the vagrant box ?:

vagrant ssh
git clone git@bitbucket.org:myusername/myprivaterepo.com.git
Then type "yes" to allow the RSA fingerprint to be added to ~/.ssh/known_hosts (as its first connection with bitbucket)

Any help is greatly appreciated and thanks for reading my nightmare.

Answer 1

This generally means Ansible is not trying to clone the repo with the same user than the one use with vagrant ssh.

One trick to better debug what is going on is to run the command:

GIT_SSH_COMMAND='ssh -v' git clone ...

That way, you will see exactly which ssh keys are tried.

As kostix suggests in the comments, adding the id (or id -a) in the Ansible commands would be helpful too.

---

The OP Gustavmahler confirms in the comments:

You were right: Ansible was cloning the repo as a different user than the one I expected.
I added the following which fixed the task:

become: true 
become_user: vagrant 

Answer 2

The ssh-agent is associated with a terminal session - but automated Ansible runs are not. (Same deal for most cron jobs, fwiw.) This also explains why things work just fine if you SSH into your Vagrant box and run things.

If you add ansible_ssh_private_key_file: /path/to/file to the playbook, then does that resolve the issue?