0

ansible-lint step in gitlab-ci pipeline is failing because of authentication error while running the ansible-galaxy install -r requirements.yml that pulls the roles dependency defined in the requirements.yml and clone the roles from git.

I tried passing the authentication token via CICD variables but it doesn’t like that.

requirements.yml

- src: git+https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/../ansible/roles/ansible-role-s3-yumrepo.git
  version: master
  scm: git

But it fails with below error

Starting galaxy role install process

[WARNING]: - ansible-role-s3-yumrepo was NOT installed successfully: -
command /usr/bin/git clone https://gitlab-ci-
token:${CI_JOB_TOKEN}@gitlab.com/../ansible/roles/ansible-role-s3-yumrepo.git
ansible-role-s3-yumrepo failed in directory /root/.ansible/tmp/ansible-local-526mx2pctt4/tmp2n3_tp7_
(rc=128) - Cloning into 'ansible-role-s3-yumrepo'... remote: HTTP Basic:
Access denied fatal: Authentication failed for 'https://gitlab-ci-
token:${CI_JOB_TOKEN}@gitlab.com/../ansible/roles/ansible-role-s3-yumrepo.git/'

Anyone faced this issue before or know a better way to handle this (edited)

Devesh mehta
  • 1,505
  • 8
  • 22
  • The `$CI_JOB_TOKEN` is authorized only for _the current repo_; if you want to be able to access other repos, you'll need to create a [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#personal-access-tokens) (or a project access token if that is available to you) and grant it `repository_read` scope – mdaniel Apr 30 '21 at 16:14
  • I am using personal access token and facing issue with that only. – Devesh mehta Apr 30 '21 at 17:01
  • Welp, your posted code snippet has 2 references to `CI_JOB_TOKEN` so if you are doing something underhanded by setting `CI_JOB_TOKEN` to your own P.A.T. you'll need to [edit your question](https://stackoverflow.com/posts/67333570/edit) and show the way you are actually invoking the job. Good luck – mdaniel May 01 '21 at 01:35

2 Answers2

2

The problem is that ansible-galaxy does not support environment variable substitution. One possible solution could be manual variable substitution using envsubst:

cat requirements.template|envsubst > requirements.yml

Depending on the environment setup it may be necessary to delete this file later (after the run), as it will contain all the passwords / tokens as plain text.

Another hint how to debug (confirm) that your user and deploy-token is really working, is to temporarily hardcode deploy-token-user and deploy-token

src: 'https://<GITLAB_DEPLOY_USER>:<GITLAB_DEPLOY_TOKEN>@mycompany.com/gitlab/prj/my-ansible-role.git'

and test it manually.

kmarokas
  • 21
  • 3
  • The `envsubst` approach is mentioned in multiple place as a viable method, but recommending in the first place to hardcode the tokens in source code is really bad advice. Probably unintended and only as a sample, but bad in any case. – dlouzan Dec 06 '22 at 12:55
  • I am totally agree, that hardcoding sensitive data could never be the solution. This was mentioned as a sample. I have updated my suggestion how to work around this ansible-galaxy limitation in more proper and secure way. – kmarokas Dec 11 '22 at 19:15
0

for gitlab-ci you need to edit the requirements.yml

- src: git+https://gitlab-ci-token@gitlab.com/../ansible/roles/ansible-role-s3-yumrepo.git
  version: master
  scm: git

need to use in job

sed -i "s/token/token:${CI_JOB_TOKEN}/g" ./requirements.yml

we get

- src: git+https://gitlab-ci-token:64_sdr54554s45@gitlab.com/../ansible/roles/ansible-role-s3-yumrepo.git
  version: master
  scm: git

this working for ansible-galaxy install in gitlab-ci just need allow access to this project with a CI_JOB_TOKEN in gitlab

Dmitry
  • 1
  • 2