Can't get git module to work -- permission denied

[Mike Titus]

I've created a GitHub user on the target server with a private key in ~/.ssh/id_rsa (and added the public key to GitHub).  If I "sudo su deploy" I can then clone my repo via the command line without error:

$ git  clone  g...@github.com:me/my-repo.git  target_folder

However, I cannot clone from my Ansible playbook using the git module:

yii.yml

--------

- hosts: yii

  user:  ubuntu

  sudo:  yes

  roles:

    - { role: common, tags: [ 'common' ] }

- hosts: yii

  user: deploy

  sudo:  no

  roles:

    - { role: yii-deploy, tags: [ 'yii-deploy' ] }

main.yml in yii role

------------------------

- name: checkout yii-admin

  git: repo=g...@github.com:me/my-repo.git dest=/mnt/live/yii-admin

When I run the above I get this error:

TASK: [yii-deploy | checkout yii-admin] *************************************** 

failed: [54.185.9.246] => {"cmd": "/usr/bin/git ls-remote origin -h refs/heads/master", "failed": true, "item": "", "rc": 128}

stderr: Permission denied (publickey).

fatal: The remote end hung up unexpectedly

msg: Permission denied (publickey).

fatal: The remote end hung up unexpectedly

FATAL: all hosts have already failed -- aborting

My best guess is that "user: deploy" is being ignored in yii.yml and that the git module is executing as the "ubuntu" user?  Any suggestions greatly appreciated.

[Mike Titus]

Ansible version 1.5, from Ubuntu 13.10 to Ubuntu 12.04

[James Tanner]

On 03/06/2014 05:30 PM, Mike Titus wrote:

Ansible version 1.5

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/8210a3b0-11a4-4f82-9c3b-1c3070742c90%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

We can't be certain what user is executing the git command without seeing the -vvvv output from your play.

The git module in 1.5 has a key_file parameter to pass in the path to an ssh key to use. Try passing the absolute path to your private key with that.

[Mike Titus]

On Thursday, March 6, 2014 2:33:37 PM UTC-8, James Tanner wrote:

We can't be certain what user is executing the git command without seeing the -vvvv output from your play. 

The git module in 1.5 has a key_file parameter to pass in the path to an ssh key to use. Try passing the absolute path to your private key with that.

 

Added key_file parameter, same error.  The fact that id_rsa cannot be accessed strongly suggests that my attempts to specify the user for the deploy role is not working, but I can't think of any alternate syntax.  I really need to run most of the tasks as "ubuntu" but the git deploy tasks as "ava-deploy":

TASK: [yii-deploy | checkout yii-admin] *************************************** 

<54.185.9.246> ESTABLISH CONNECTION FOR USER: ubuntu

<54.185.9.246> REMOTE_MODULE git repo=g...@github.com:me/my-repo.git dest=/mnt/live/yii-admin accept_hostkey=yes key_file=/home/ava-deploy/.ssh/id_rsa                                                                  

<54.185.9.246> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/home/me/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'IdentityFile=creds/ubuntu_yii', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=ubuntu', '-o', 'ConnectTimeout=10', 'xx.xxx.x.xxx', "/bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1394145698.52-234897656048864 && chmod a+rx $HOME/.ansible/tmp/ansible-tmp-1394145698.52-234897656048864 && echo $HOME/.ansible/tmp/ansible-tmp-1394145698.52-234897656048864'"]                                                                                       

<54.185.9.246> PUT /tmp/tmp7pXt8U TO /home/ubuntu/.ansible/tmp/ansible-tmp-1394145698.52-234897656048864/git

<54.185.9.246> EXEC ['ssh', '-C', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/home/me/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'IdentityFile=creds/ubuntu_yii', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=ubuntu', '-o', 'ConnectTimeout=10', 'xx.xxx.x.xxx', "/bin/sh -c '/usr/bin/python /home/ubuntu/.ansible/tmp/ansible-tmp-1394145698.52-234897656048864/git; rm -rf /home/ubuntu/.ansible/tmp/ansible-tmp-1394145698.52-234897656048864/ >/dev/null 2>&1'"]

failed: [54.185.9.246] => {"cmd": "/usr/bin/git ls-remote origin -h refs/heads/master", "failed": true, "item": "", "rc": 128}

stderr: Warning: Identity file /home/ava-deploy/.ssh/id_rsa not accessible: Permission denied.

Permission denied (publickey).

fatal: The remote end hung up unexpectedly

msg: Warning: Identity file /home/ava-deploy/.ssh/id_rsa not accessible: Permission denied.

[James Tanner]

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/ebbafa23-9bb5-40f7-b654-fe582222748e%40googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.

You -are- connecting to the remote host as the ubuntu user. It's also probably true that the ubuntu user can -not- read /home/ava-deploy/.ssh/ on that host.