Deploy privat Git Repo with Ansible AWX with SSH Key

Most of the time, the source code of Applications is stored in a privat Git Repository. Privat Git Repositories can be accesed by users over https with a username and password or via SSH with a SSH certificat. To enable a machine to access the privat Repository, you need to upload the machine SSH key into the Repository.

In GitHub, you can create a machine useraccount, upload the user (Machine) SSH public key, and add the machine user as a read user to the Repository. After adding the user to the Repository, you can now clone the Repo to the machine without username and password.

Doing so with Ansible CLI is simple. You can load the SSH key into an ssh-agent and start a new bash session. In the bash session, you can start the ansible-playbook.

cd /etc/ansible
ssh-agent bash
ssh-add ~/.ssh/id_rsa
ansible-playbook -i inventory webserver.yml

However, with AWX it is not that simple to add a SSH key into the playbook. AWX offers different credentials which can be added in the template. But the credential type "Souce Code" is only avaliable for setting up a project and not a template. Hence, it is not possible to add a Repository public key for deployment.

In this post, I will show you a small work around for this issue.

For deployment, we use the Ansible ansistrano deploy role. Moreover, we build an extention for Symfony. The role adds the most common sets during a Symfony deployment. H2 Ansible Symfony Deployment Role.

Create a new credential type in AWX

First of all, you have to create a new credential type in AWX. As an systemadministrator go to Credential Type and add following values.

Input Configuration:

fields:
  - id: my_private_key
    type: string
    label: private_key
    secret: true
    multiline: true

Injector Configuration:
extra_vars:
  ansistrano_git_identity_key_path: '{{ tower.filename.my_key  }}'
file:
  template.my_key: '{{ my_private_key  }}'

Add new Credential

With the new Credential type, create an new SSH Credential in AWX. Go to Credential and select the new type. Copy in the privat SSH key for accessing the Git Repositories.

Add Credential into template

Now you can use the new credential in the template for deploying the application from a privat Git Repository.

After launching a template, AWX will read the credential, and injects the value into the play. With the injected SSH key, ansitrano can use the key to clone the source code from the privat repository to each local client. We use this method to deploy all Web Applications in the HA Webcluster.

Hint: When you are using the ansitrano deploy role, you need to set the ansistrano_git_identity_key_path variable in the new credential type. With this variable, the privat key will be copied from the controller to all the clients for deloyment and will be deletet after the Git Clone again.