There is a command server with ansible named server-ansible and a custom server test-web-server-01
In a playbook / role, you need to log in with the apache user and clone the remote repository from the test-git-01 server. SELinux on both machines (by the way, Centos7) is enabled.
In the global known_hosts file ( /etc/ssh/ssh_known_hosts ), using the known_hosts_module , the git-server key is preset:
- name: git storage pubkey known_hosts: path='/etc/ssh/ssh_known_hosts' name='test-git-01' key="{{ lookup('file', 'files/ssh_keys/pubkeys/test-git-01.pub') }}" (The key file is obtained manually with the command ssh-keyscan test-git-01>test-git-01.pub )
However, when trying to execute git clone commands ( git pull , etc.), we get an error.
- name: clone repository git: repo: git@test-git-01:testgroup/testrepo.git dest: "/www/testsite.ru/htdocs/" become: true become_user: apache This is logical: the apache user does not have an ssh key and cannot connect to the server.
As a solution, the possibility of creating an own key for the apache user via sudo -u apache ssh-keygen -t rsa and writing it on the git server is not considered.
I want to do the following: so that when the user ansible connects, his ssh key is forwarded to the apache user. Since it is possible to work with this key with the git-server, it is safer if the user’s ability to work with apache is not constant, but only while the scripts are working ansible.
How to set up ssh-key forward correctly in ansible?
PS Update. Below is described my own version, to which I once came, and who then sought out in English so. It was possible to immediately publish this option in the question-answer mode, but it is interesting for me to read about other possible solutions to the problem (can the ACL be placed?), Perhaps even better practice will be offered. Therefore, I am not going to put a daw.
