So git is hanging as underneath python is waiting for creds input. Token needs to be sent together with url example here : https://www.decodingdevops.com/ansible-git-module-examples/ What I usually do is set fact of url with token at the beginning and only then pass that fact to git. But you could just do similar to the article. Answer from endriu0 on reddit.com
GitHub
github.com › asifmahmud › ansible-git-clone
GitHub - asifmahmud/ansible-git-clone · GitHub
An Ansible role that can be used to clone a private GitHub repository. This role requires a GitHub personal access token. Generate a new token (Settings -> Developer Settings -> Personal Acess Token).
Starred by 15 users
Forked by 6 users
DZone
dzone.com › software design and architecture › security › safe clones with ansible
Safe Clones With Ansible
February 22, 2024 - They can be created by an API call ... session key. Specifically, Ansible authenticates itself using the token, creates the deployment key, authorizes the clone, and deletes it immediately afterward....
why does git clone stall with personal access token?
So git is hanging as underneath python is waiting for creds input. Token needs to be sent together with url example here : https://www.decodingdevops.com/ansible-git-module-examples/ What I usually do is set fact of url with token at the beginning and only then pass that fact to git. But you could just do similar to the article. More on reddit.com
4
3
March 4, 2021How do I pass username and password while using Ansible Git module? - Stack Overflow
Taken from: Clone a private git repository with Ansible (using password prompt) ... F. Santiago ... this is also exposing username/password (the remote origin stored as https://user:[email protected]/...) 2018-06-10T00:13:42.997Z+00:00 ... You cannot avoid exposing the token or password. More on stackoverflow.com
git - How can I use a gitlab deploy token from ansible? - Stack Overflow
In order to have the target server clone the projects automatically (non-interactively), I'm using deploy tokens. First, on our GitLab server's web interface, I went to my first project and generated a deploy key for it. I can configure the target server to use the deploy key using ansible with ... More on stackoverflow.com
ansible git clone without rights on the remote - Stack Overflow
Working to clone a git repository that requires credentials because it is private (to complicate it more, it has a submodule that is also private, but this is a secondary question). I would like to... More on stackoverflow.com
Ansible
docs.ansible.com › projects › ansible › latest › collections › ansible › builtin › git_module.html
ansible.builtin.git module – Deploy software (or files) from git checkouts — Ansible Community Documentation
To avoid this prompt, one solution is to use the option accept_hostkey. Another solution is to add the remote host public key in /etc/ssh/ssh_known_hosts before calling the git module, with the following command: ssh-keyscan -H remote_host.com >> /etc/ssh/ssh_known_hosts.
Reddit
reddit.com › r/ansible › why does git clone stall with personal access token?
r/ansible on Reddit: why does git clone stall with personal access token?
March 4, 2021 -
I have a basic test task to clone from a gitlab repo using the following:
tasks:
- name: Check if Gitlab repo updated
git:
repo: https://my.gitlab.repo/test.git
dest: /var/test-repos/
accept_hostkey: yes
update: yes
version: master
register: git
ignore_errors: true
- debug:
var: gitI've generated a personal access token in gitlab with all read rights + api rights. It runs fine until it attempts to clone then will just stall forever.
If i change the task definition to:
tasks:
- name: Check if Gitlab repo updated
git:
repo: git://my.gitlab.repo/test.git
dest: /var/test-reops/
accept_hostkey: yes
update: yes
version: master
key_file: /path/to/private/key
register: git
ignore_errors: true
- debug:
var: gitThen everything works but I don't want to store the private key on my ansible tower host. Any ideas?
Top answer 1 of 2
3
So git is hanging as underneath python is waiting for creds input. Token needs to be sent together with url example here : https://www.decodingdevops.com/ansible-git-module-examples/ What I usually do is set fact of url with token at the beginning and only then pass that fact to git. But you could just do similar to the article.
2 of 2
1
I don't have the answer to why it stalls using a PAT, but you can put your private key in Ansible Vault and call it in the play. It is secure in this manner.
Top answer 1 of 6
76
You can use something like this:
---
- hosts: all
gather_facts: no
become: yes
tasks:
- name: install git package
apt:
name: git
- name: Get updated files from git repository
git:
repo: "https://{{ githubuser | urlencode }}:{{ githubpassword | urlencode | replace ('/', '%2f') }}@github.com/privrepo.git"
dest: /tmp
Note: {{ githubpassword | urlencode | replace ('/', '%2f') }} is used here to account for special characters. replace ('/', '%2f') is necessary because urlencode does not convert /.
Then execute the following playbook:
ansible-playbook -i hosts github.yml -e "githubuser=arbabname" -e "githubpassword=xxxxxxx"
Note: Make sure you put the credentials in ansible vaults or pass it secure way
2 of 6
40
Improving on Arbab Nazar's answer, you can avoid exposing your password in the terminal by prompting for the credentials.
playbook.yml
---
- name: ANSIBLE - Shop Installation
hosts: '{{ target }}'
vars_prompt:
- name: "githubuser"
prompt: "Enter your github username"
private: no
- name: "githubpassword"
prompt: "Enter your github password"
private: yes
[...]
And in the task reference the variables.
task.yml
- name: Get updated files from git repository
git:
repo=https://{{ githubuser | urlencode }}:{{ githubpassword | urlencode }}@github.com/privrepo.git
dest=/tmp
This will save the password as clear text in .git/config as url of remote "origin".
The following task can be used to remove it.
- name: Ensure remote URL does not contain credentials
git_config:
name: remote.origin.url
value: https://github.com/privrepo.git
scope: local
repo: /tmp
Taken from: Clone a private git repository with Ansible (using password prompt)
OneUptime
oneuptime.com › home › blog › how to use the ansible git module to clone repositories
How to Use the Ansible git Module to Clone Repositories
February 21, 2026 - # playbook-versioned-clone.yml # Demonstrates cloning at specific branches, tags, and commit SHAs - name: Clone specific versions hosts: webservers become: true tasks: - name: Clone specific branch ansible.builtin.git: repo: "https://github.com/example/myapp.git" dest: /opt/myapp version: develop - name: Clone specific tag ansible.builtin.git: repo: "https://github.com/example/myapp.git" dest: /opt/myapp-release version: v2.1.0 - name: Clone specific commit ansible.builtin.git: repo: "https://github.com/example/myapp.git" dest: /opt/myapp-pinned version: "a1b2c3d4e5f6" For private repositories, you can use HTTPS with tokens or SSH with keys:
Fabian Lee
fabianlee.org › 2021 › 02 › 03 › ansible-cloning-a-git-repository-that-requires-credentials
Ansible: cloning a git repository that requires credentials | Fabian Lee : Software Engineer
June 21, 2021 - From the command line, the syntax is: git clone https://<user>:<password>@<gitserver>/<path>/<repo>.git · Where any special characters in the password are URL encoded (e.g. an exclamation mark needs to be “!”). I describe this in my article ...
Cam
guidebook.devops.uis.cam.ac.uk › howtos › deployment › create-deploy-token-for-ansible
Create GitLab deploy token for Ansible deployment - DevOps Division Guidebook
Deploy tokens are used to enable authentication of deployment tasks, independent of a user account. With a deploy token, Ansible deployment can: Clone Git repositories.
Medium
theusmanhaider.medium.com › ansible-clone-private-git-repository-c8a2c9ec8a61
Ansible Clone Private Git Repository | by Usman Haider | Medium
April 2, 2023 - This approach is not recommended ... obvious security reason. Generate ssh key for you Ansible server and add your public key to your Github profile automatically via Github Access Token REST API....
IBM
community.ibm.com › community › user › ibmz-and-linuxone › blogs › asif-mahmud1 › 2020 › 03 › 15 › cloning-private-git-repository-using-ansible
Cloning a Private Git Repository Using Ansible
Facilitate communication, user interaction and feedback for Red Hat Ansible Certified Content for IBM Z · This is happening because the remote machine where Ansible is trying to clone the repository into, does not have the same SSH credentials that your local machine does.
Top answer 1 of 3
8
Why not just set the credentials directly into the repo path?
- name: Clone Project A git repo
git:
repo: 'https://{{ gitlab_project_A_deploy_username }}:{{ gitlab_project_A_deploy_password }}@company_gitlab_server.com/USER/Project_A.git'
dest: /some/dir/
2 of 3
1
If you want to use a helper for the credentials (whether store or cache) you can use the credential.useHttpPath option to make it match on the path too.
Then, for the store helper, save
https://{{ gitlab_project_A_deploy_username }}:{{ gitlab_project_A_deploy_password }}@company_gitlab_server.com/USER/Project_A.git
https://{{ gitlab_project_B_deploy_username }}:{{ gitlab_project_B_deploy_password }}@company_gitlab_server.com/USER/Project_B.git
in the credentials store.
GitHub
gist.github.com › mblarsen › 62d2c0451e69a607a66a
Solution for `git clone` using Ansible for repos with private submodules with github deploy keys · GitHub
Solution for `git clone` using Ansible for repos with private submodules with github deploy keys - deploy.yaml
FreeKB
freekb.net › Article
Ansible - Clone a repository using the git module
April 19, 2025 - And then your Ansible playbook could look something like this. There should be no need to include a username or password or key file since authentication has been established by adding your SSH keys on github.com. --- - hosts: all tasks: - name: clone example.git ansible.builtin.git: repo: git@github.com:JohnDoe/example.git dest: /tmp/example accept_hostkey: true environment: GIT_TERMINAL_PROMPT: false GIT_SSL_NO_VERIFY: true ...
Middleware Inventory
middlewareinventory.com › blog › ansible-git-example
Ansible Git Example - Checkout code from Git Repo Securely
February 24, 2024 - Hope your Ansible Playbook has run successfully and now it is the time for validation. You might have figured out that my remote server name is mwiapp01 as it is displayed on the preceding snapshot. Now let us access the URL http://mwiapp01:5000 and test it · In the previous playbook, you can see that we have used the username and the password which is not a secure solution. Github now supports user access tokens in place of username and password for authentication
GitHub
gist.github.com › droidMakk › 0902f6352337ff0343bb2361b270161b
Ansible Snippet to generate a token from GIt · GitHub
August 23, 2016 - Clone this repository at <script src="https://gist.github.com/droidMakk/0902f6352337ff0343bb2361b270161b.js"></script> Save droidMakk/0902f6352337ff0343bb2361b270161b to your computer and use it in GitHub Desktop. Download ZIP · Ansible Snippet to generate a token from GIt ·
LinkedIn
linkedin.com › pulse › ansible-vault-dynamics-mastering-secure-git-pankaj-salunkhe
Ansible Vault Dynamics: Mastering Secure Git Collaboration
August 23, 2023 - --- - name: git cloning hosts: localhost become: yes vars_files: - git_pass.yml tasks: - name: git clone git: repo: "https://{{ git_user }}:{{ git_token }}@github.com/Pankajsalunkhecoding/twitter_app.git" dest: /home/twitter_app · 3) Take git clone using ansible · ansible-playbook git_clone_method1.yml --ask-vault-pass · Output · Ansible Vault provides a robust solution for securing sensitive information within your Git repositories.
Jeff Geerling
jeffgeerling.com › blog › 2018 › cloning-private-github-repositories-ansible-on-remote-server-through-ssh
Cloning private GitHub repositories with Ansible on a remote server through SSH | Jeff Geerling
May 1, 2017 - Add a task that generates a private key on the remote server, then another task (or manual step) of adding the generated public key to GitHub, so that server can authenticate for Git commands. But if you want to avoid having any private keys on the remote server (sometimes this can be a necessary security requirement), you can pass your own private key through to the remote server via Ansible's SSH connection.
GeeksforGeeks
geeksforgeeks.org › devops › ansible-git-module
How to use Ansible Git Module for Version Control - GeeksforGeeks
July 23, 2025 - Make sure to copy your personal access token now. You won’t be able to see it again!. Now create ansible playbook by using following command. ... Now define tasks in playbook, here is the script for playbook to clone private repository. --- - name: Clone Private Git Repository Using PAT hosts: all become: yes vars: repo_url: https://github.com/yourusername/your-private-repo dest_dir: /path/to/clone/repo github_token: "your_github_pat" tasks: - name: Ensure git is installed yum: name: git state: present - name: Clone the private repository git: repo: "{{ repo_url }}" dest: "{{ dest_dir }}" version: master # or any branch/tag you want to checkout force: yes accept_hostkey: yes environment: GIT_ASKPASS: /bin/echo GIT_USERNAME: "{{ github_token }}" GIT_PASSWORD: "{{ github_token }}"
Claudia Kuenzler
claudiokuenzler.com › blog › 604 › clone-a-private-git-repository-with-ansible-password-prompt
Clone a private git repository with Ansible (using password prompt)
December 2, 2015 - A possibility would be to use private key authentication, however we all know that (as of this writing in December 2015) it is not possible to use the same public key on multiple git repositories in github. So I found a way to let Ansible clone the repository with my own user, yet without hard-coding it of course.
Top answer 1 of 2
1
Following the comment from β.εηοιτ.βε I found how to make this git statement work in ansible.
First this has been to create an specific ssh key to be used as a deployment key:
ssh-keygen -t ed25519 -C "ansible deploy key for gitlab"
With password and the password stored in the ansible-vault (as gitlab_deploy_key_passwd). The file is saved in the path of the roles in ansible.
In the gitlab project, one has to go the "Settings > Repository > Deploy Keys" and place the content of the "gitlab_deploy_key_ed25519.pub".
In ansible, it is necessary to have a set of tasks to copy the private key (password protecte) in the remote as well as configure ssh to use it when talk with gitlab.
- name: "gitlab deploy key"
block:
- name: ".ssh directory with the best rights"
file:
path: /home/{{ ansible_user_id }}/.ssh
state: directory
mode: "u=rwx,g=,o="
owner: "{{ ansible_user_id }}"
group: "{{ ansible_user_id }}"
- name: "gitlab deploy key copy"
copy:
src: "../files/gitlab_deploy_key_ed25519"
dest: "/home/{{ ansible_user_id }}/.ssh"
mode: "u=rwx,g=,o="
owner: "{{ ansible_user_id }}"
group: "{{ ansible_user_id }}"
- name: "gitlab deploy key config"
blockinfile:
path: "/home/{{ ansible_user_id }}/.ssh/config"
block: |
Host gitlab.com
User git
Hostname gitlab.com
IdentityFile /home/{{ ansible_user_id }}/.ssh/gitlab_deploy_key_ed25519
With this a "git clone" task can be setup:
- name: "git clone"
expect:
chdir: "{{ sources_dir }}"
command: "git clone [email protected]:(...)/repo.git repo.git"
responses:
passphrase: "{{ gitlab_deploy_key_passwd }}"
So then, the repo is present in the remote without storing any private information there (or at least store it somehow protected). It is read-only and even this read requires a password that is as save as the ansible-vault. (I haven't understand why in this case the expect worked with the passphrase but didn't with the username/password).
This clones the repo without initializing the submodules, but from here the git commands in further ansible tasks will have access to the necessary things to do that.
2 of 2
0
To add to the comment, you have here an example using a credential helper:
- name: Configure Git credential storage
command: "git config --global credential.helper store"
- name: Populate the Git credential store
template:
src: files/git_credentials.j2
dest: /home/appuser/.git-credentials
owner: appuser
group: appuser
mode: u=rw,g=,o=
no_log: true
With template;
https://{{ gitlab_username|urlencode }}:{{ gitlab_password|urlencode }}@gitlab.example.org
You can also use the git_config_module to set the credential helper (instead of command)