Open itsmeabhijeet opened 3 years ago
Assumption: this is for roles that are pulled from requirements.yml?
If so, there's not much we can do from the AWX side - even if we could pass a token, it would be one token that would be applied to both the initial project checkout and all role (or collection) checkouts - passing a single token that is for a repo with roles would then fail as soon as there are multiple roles in different repos.
Ideally, the galaxy requirement format would allow specifying authentication in the requirements.yml that ansible-galaxy
would use.
hello @wenottingham , yes your assumption is correct.
Our playbooks are dependent on multiple roles which are pulled from requirements.yml. They all happen to be not only galaxy roles but also our own ansible roles which are separate repos. I was hoping if in future the server-server token as mentioned here can be implemented then it would be a more secure and appropriate way where I can use Github App ID
as deploy keys
in github and the corresponding private key
as a credential secret
in awx ( may be of type github app
??).
Current workaround : I am currently using my personal PAT in awx to make ansible template work. Although it is not a good way but just as workaround.
Please suggest or let me know if there can be any other way better than using github PAT.
just wanted to add my vote for GitHub App. This would help a lot to get rid of personal accounts as service accounts. GitHub App support for all git connections would be a perfect solution.
Couldn't agree more: Using a personal ID for a system like AWX is a very wrong and insecure approach - adding support for a proper Github App would be much better.
Maybe I should add: We're running on Github Enterprise SaaS connected as Enterprise Managed Users, so we cannot create PATs at all. In principle this prevents us from implementing AWX in our organization.
ISSUE TYPE
Currently we use deploy keys to integrate Github with awx but this concept fails in case of Ansible playbook that depends on multiple ansible roles. As these roles are separate repo, individual deploy key fails to checkout other repo.
SUMMARY