Open in app

Sign in

Write

Sign in

Doing a git pull without typing username, password and doesn’t save any secrets in the system by Ansible

Khoa Nguyen
2 min readAug 24, 2019

--

I guess this question is so simple with some of you. However, to me, it’s not straight forward as I expect.

Let me give you a brief about the problem.

We have a folder code in a server. To deploy the application, we need to access into the deploy server and do a git pull to update the latest code from the origin.

Every time, when we type the command, it will prompt the username and password.

It’s a waste of time if we must type the username and password every time. So I need to find the solution to tackle the issue. I’m quite familiar with Ansible. So I will use Ansible to automate the task.

Fortunately, Ansible has a git module which can update the latest code from a specific branch.

- name: Update Code
  git:
   repo: https://{{ git_username}}:{{ git_password }}@github.com/private-repo.git
   dest: /tmp/git
   version: master

This Ansible task is so simple, isn’t it? Yeah, it is so simple but there is a problem. It saves git_username and git_password in .git/configfile.

So we can try another method. I will not use Ansible module anymore, instead of using shell command.

- name: Update Code
  shell: |
   git pull https://{{ git_username}}:{{ git_password }}@github.com/private-repo.git master

This method does not save the username and password in the .git/config file. However, it writes logs to the audit.log

Another method is to use creadential.helper

git config --global credential.helper 'cache --timeout 7200'

However, this method will save username and password in plaintext in local disk ( ~/.git-credentials ).

After searching for a while on the Internet, I discovered Ansible expect module.

It can do exactly what I want. Moreover, it doesn’t save any logs in the log files.

- name: Git Pull
  expect:
    command: git pull
    responses:
      (.*)Username(.*): "{{ git_username }}"
      (.*)Password(.*): "{{ git_username }}"  # you don't want to show passwords in your logs
  no_log: true

Yeah. that’s a solution. It took me for a couple of hours to investigate. I hope my solution can help someone to tackle the issue quickly.

If you have any questions, please let me know.

Git

--

--

Khoa Nguyen

Written by Khoa Nguyen

178 Followers

I’m a DevOps engineer. I like travelling, surfing and meeting new people.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams