Why is cloning a repo failing in Ansible but works manually?

Question

As part of a larger playbook I try to clone a repo in an Ansible task and it fails with git@github.com: Permission denied (publickey).. Doing the same manually works. What is wrong?

Minimal Example of my playbook:

---
- hosts: all
  tasks:
    - name: Ensure dotfiles repository is cloned locally.
      git:
        repo: "git@github.com:geerlingguy/dotfiles.git"
        dest: "~/devops/macsetup/dotfiles"
        key_file: /Users/myUser/.ssh/id_ed25519
        version: "main"
        accept_hostkey: true
      become: false

Inventory file:

[all]
127.0.0.1 ansible_connection=local

ansible.cfg:

[defaults]
nocows = true
roles_path = ./roles
inventory = inventory
become = true
stdout_callback = yaml
log_path = ~/Desktop/ansibleLog_test.txt

Result:

TASK [Ensure dotfiles repository is cloned locally.] ***************************************************************************************
The full traceback is:
WARNING: The below traceback may *not* be related to the actual failure.
  File "/var/folders/3v/qk0n7z693jv2pz23cy99q7_m0000gn/T/ansible_git_payload_TeGqRk/ansible_git_payload.zip/ansible/modules/git.py", line 499, in clone
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/os.py", line 157, in makedirs
    mkdir(name, mode)
fatal: [127.0.0.1]: FAILED! => changed=false 
  cmd: /usr/bin/git ls-remote '' -h refs/heads/main
  invocation:
    module_args:
      accept_hostkey: true
      archive: null
      archive_prefix: null
      bare: false
      clone: true
      depth: null
      dest: /Users/myUser/devops/macsetup/dotfiles
      executable: null
      force: false
      gpg_whitelist: []
      key_file: /Users/myUser/.ssh/id_ed25519
      recursive: true
      reference: null
      refspec: null
      remote: origin
      repo: git@github.com:geerlingguy/dotfiles.git
      separate_git_dir: null
      single_branch: false
      ssh_opts: null
      track_submodules: false
      umask: null
      update: true
      verify_commit: false
      version: main
  msg: ''
  rc: 128
  stderr: |-
    git@github.com: Permission denied (publickey).
    fatal: Could not read from remote repository.
  
    Please make sure you have the correct access rights
    and the repository exists.
  stderr_lines: <omitted>
  stdout: ''
  stdout_lines: <omitted>
PLAY RECAP ***************************************************************************************
127.0.0.1                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

I realized that ansible is actually running git ls-remote '' -h refs/heads/main. The documentation on ls-remote is not too verbose.

Are you running the playbook and your manual test as the same user? — Zeitounator, Jul 20 '21 at 17:17
You mean that you are not sure which user you are logged in when you issue both commands ? (e.g. `git clone ...` vs `ansible-playbook ...`) — Zeitounator, Jul 20 '21 at 17:39
I am sure about that, just not sure if and when Ansible changes user to root to do things with become=true in the ansible.cfg. I just tried with become=false and got the same error... so that's not it. — Human, Jul 20 '21 at 17:41
Then you are not using the same key when in Ansible and when isuing the command manually. — Zeitounator, Jul 20 '21 at 19:31
Try using `become_user: ` and give the same user name whose ssh keys is been used by git. — Lovedeep Sharma, Jul 20 '21 at 22:36

score 0 · Answer 1 · answered Jul 27 '21 at 23:55

It's not really possible to answer this without more information, but as a general rule with troubleshooting issues like this - aside from what you've done already - here are some tips:

turn up debug when you run ansible (e.g. -vvvv on the command line) - this can often help you see extra info like user/connection details being used
add in some pre-tasks that run command line tasks that you have tried manually on the target machine, and check you see the same result (e.g. command: whoami and command: ls -l /Users/myUser/.ssh/id_ed25519)
running manually on target versus via ansible - often it's the case that a manual login is setting up the shell environment via dotfiles, which might differ from the headless ansible login

In the later case, it's target dependent, but there are some examples for bash here: Not possible to source .bashrc with Ansible

ok, Results of your recommendation: - the user is actually me - the key used is actually my personal ssh-private-key - this machine is absolutely vanilla-fresh-installed - no customization in any dotfiles — Human, Aug 09 '21 at 15:11
Can you add/update the manual commands you're testing with and the output you get? If this succeeds did you have to try anything different, like the suggestions on https://docs.github.com/en/github/authenticating-to-github/troubleshooting-ssh/error-permission-denied-publickey ? Also, in the ansible did you try cloning via HTTP and not via SSH keys? Do you get the same result? — Ben, Aug 10 '21 at 16:53

Why is cloning a repo failing in Ansible but works manually?

1 Answers1