Automatical creation of token

mihalt commented 7 months ago

Hi! As I see from your docs, I can not to define token property. I was sure that it should generate automatically https://github.com/stefangweichinger/ansible-rclone/blob/2aec630547fe4e49dfee244cd3a1c094a2e5faef/README.md?plain=1#L154-L171

But on practice it doesn't with error

drive: failed when making oauth client: failed to create oauth client: empty token found - please run \"rclone config reconnect GoogleDriveRemote:\""

And it becomes to work after I generated token via rclone config reconnect GoogleDriveRemote:\ in web brouser. But it has dedicated expiry time that can be a problem.

So, how do you recommend me to work?

stefangweichinger commented 7 months ago

Sorry, I don't know. I don't use that feature, it came from another user in a PR I would have to look for. Maybe search the commits yourself ... I am busy right now.

stefangweichinger commented 7 months ago

look here: https://github.com/stefangweichinger/ansible-rclone/pull/133

maybe ask @tigattack

mihalt commented 7 months ago

look here: #133

maybe ask @tigattack

And by the way, on my Ubuntu server service name is another

    - name: Restart rclone
      ansible.builtin.systemd:
        name: rclone-mount@rclone.service
        state: restarted
      when: setup_rclone_config.changed

tigattack commented 7 months ago

You can define a token property. In fact, you can define anything you wish in the properties dict. Each item in properties is simply iterated over and templated into rclone.conf (template here).

However, even though it is possible, you described the issue with this approach in your initial description:

But it has dedicated expiry time that can be a problem.

Interactive authentication is not something that this role supports and, unless you use a service account, Google Drive authentication is an interactive process. I would suggest you use service account authentication if you require the entire process to be hands-off.

stefangweichinger commented 4 months ago

is that still an issue?

mihalt commented 1 month ago

@tigattack if you say that I can generate in any pc the token during rclone config and pass it to ansible with any expiration time and looks like it will work — that's true.

But if I pass empty data like this token: ' {"access_token":"","token_type":"","refresh_token":"","expiry":""}' — it doesn't work.

tigattack commented 1 month ago

Sorry, I'm not clear on exactly what the problem is here. More detail would be great; as much info as possible on how you're using this role (including variable definitions with secrets obfuscated), what your goal is, and how you expect the end result to look and function.

mihalt commented 1 month ago

Sorry, I'm not clear on exactly what the problem is here. More detail would be great; as much info as possible on how you're using this role (including variable definitions with secrets obfuscated), what your goal is, and how you expect the end result to look and function.

I just don't want to do any manual work to generate token. Would be nice just to pass this variables

rclone_configs:
  - name: ExampleGoogleDriveRemote
    properties:
      type: drive
      client_id: 12345
      client_secret: 67890

tigattack commented 1 month ago

As far as I can tell, everything that you've shown so far is working as designed and documented.

Generating a token on your PC and passing it via Ansible is a good proof that such a method works.
Yes, passing empty data will indeed not work.
You want the process to be hands-off / no manual steps, which is why I recommended you use service account authentication in my comment above from April. The setup and usage process for this is covered quite comprehensively in rclone's documentation.

I hope I've understood the issue correctly, but please let me know if that's not the case.

mihalt commented 1 month ago

service account authentication

do you mean variables something like this?

{
  "type": "service_account",
  "project_id": "my-project-id",
  "private_key_id": "abcdef1234567890abcdef1234567890abcdef12",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANB ... Y1TC6i69A=\n-----END PRIVATE KEY-----\n",
  "client_email": "my-service-account@my-project-id.iam.gserviceaccount.com",
  "client_id": "123456789012345678901",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-service-account%40my-project-id.iam.gserviceaccount.com"
}

tigattack commented 1 month ago

Exactly. I believe it would need to be passed in string form, though.

For example, this is one of mine:

rclone_configs:
  - name: "{{ rclone.remote_names.gmedia }}"
    properties:
      type: drive
      scope: drive
      service_account_credentials: "{{ (lookup('ansible.builtin.unvault', 'google_service_account.json')).strip() | string }}"

If not sourcing from an ansible-vault encrypted file, it would look something like this:

rclone_configs:
  - name: "{{ rclone.remote_names.gmedia }}"
    properties:
      type: drive
      scope: drive
      service_account_credentials: ' {"type":"service_account","project_id":"my-project-id","private_key_id":"abcdef1234567890abcdef1234567890abcdef12","private_key":"-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANB ... Y1TC6i69A=\n-----END PRIVATE KEY-----\n","client_email":"my-service-account@my-project-id.iam.gserviceaccount.com","client_id":"123456789012345678901","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/my-service-account%40my-project-id.iam.gserviceaccount.com"}'

[!NOTE] As mentioned in the readme re. the token variable: Note that the space after the single quote ' for service_account_credentials is intentional in order to force this into a string. Otherwise, it will be interpreted as an object and have its double quotes be converted to single quotes within the config file which rclone cannot parse correctly.

mihalt commented 1 month ago

Exactly. I believe it would need to be passed in string form, though.

For example, this is one of mine:
rclone_configs:
  - name: "{{ rclone.remote_names.gmedia }}"
    properties:
      type: drive
      scope: drive
      service_account_credentials: "{{ (lookup('ansible.builtin.unvault', 'google_service_account.json')).strip() | string }}"
If not sourcing from an ansible-vault encrypted file, it would look something like this:
rclone_configs:
  - name: "{{ rclone.remote_names.gmedia }}"
    properties:
      type: drive
      scope: drive
      service_account_credentials: ' {"type":"service_account","project_id":"my-project-id","private_key_id":"abcdef1234567890abcdef1234567890abcdef12","private_key":"-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANB ... Y1TC6i69A=\n-----END PRIVATE KEY-----\n","client_email":"my-service-account@my-project-id.iam.gserviceaccount.com","client_id":"123456789012345678901","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/my-service-account%40my-project-id.iam.gserviceaccount.com"}'
Note

As mentioned in the readme re. the token variable: Note that the space after the single quote ' for service_account_credentials is intentional in order to force this into a string. Otherwise, it will be interpreted as an object and have its double quotes be converted to single quotes within the config file which rclone cannot parse correctly.

oh, looks like something complex. Looks like ganerating and saving of token is indeed more easy way. Thank you :)

stefangweichinger / ansible-rclone

Automatical creation of token #149