How can I implicitly specify a second set of access credentials?

[bismuthum83]

My problem is that I use Ansible playbooks, and I have two private repositories. The first one contains the playbooks, and the second one contains the roles. In the Semaphore template, I can easily specify access credentials for the first repository (with playbooks). However, when Semaphore tries to access the second repository through the requirements.yml file, it fails because it does not apply the private key associated with the first repository to the second one, nor does it try to find access credentials for the repository defined in the requirements.yml within the Key Store. Also, I can't pass variables like a PAT token in the repository URL before the playbook runs.

I tried using the same SSH pair in 2 different repos, and I have a pair in a Key Store with 2nd repo and the same SSH PrivateKey.

What should I do in this case? I certainly don't want to store plain-text PAT tokens in the requirements.yml. What am I missing?

[bernd-mueller-el]

I hope I understood your point and you can adopt some parts.
In my setup I use three keys for three repositories (inventory,playbooks,roles). For this I use the ssh config, e.g.

Host git-ansible-inventory
  HostName git
  IdentityFile ~/.ssh/id_git_ansible_inventory

Host git-ansible-playbooks
  HostName git
  IdentityFile ~/.ssh/id_git_ansible_playbooks

Host git-ansible-roles
  HostName git
  IdentityFile ~/.ssh/id_git_ansible_roles

Host git
  HostName git
  IdentityFile ~/.ssh/id_ed25519
  User git

instead of git use your git backend, e.g. gitlab/github/whatever

and e.g. in requirements.yml use this

roles:
  - name: roles
    src: git+git@git-ansible-roles:ORG/ansible-roles.git
    version: main

via the hostname the correct key will be used.

And in Semaphore you configure repos for inventory and playbooks with this URL
git@git-ansible-inventory:ORG/ansible-inventory.git

[bismuthum83]

Thank you for your reply!
So you are telling me that I have to configure root/.ssh/config on my Semaphore VM, and it would help Semaphore connect to my hosts, listed in this ssh config? I thought Semaphore uses only those keys, that I should configure in Key Store WEB UI.

Did I understand you properly?

[bernd-mueller-el]

As far as I understand SemaphoreUI, both ways are possible. But we do not want to use the keys in Key Store, so we use ssh keys. And of course our way will only work for git links via ssh and not http.
But if this is not applicable for your setup, my suggestion will not work for you. e.g. you will use http links to git backend

[bismuthum83]

It doesn't work for me. I think SemaphoreUI can't read and use SSH keys from local .ssh folders. My keys was correct, I could ssh -T without any troubles from both users - semaphore and root.

You sure we are not talking just about locally installed Ansible?

[bismuthum83]

Nah, I think I did it.
This .ssh/config for local user semaphore made it for me:

Host github.com
	HostName github.com
	IdentityFile ~/.ssh/key
	IdentitiesOnly yes
	StrictHostKeyChecking no

Tysm!