Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatical creation of token #149

Open
mihalt opened this issue Apr 23, 2024 · 14 comments
Open

Automatical creation of token #149

mihalt opened this issue Apr 23, 2024 · 14 comments

Comments

@mihalt
Copy link

mihalt commented Apr 23, 2024

Hi! As I see from your docs, I can not to define token property. I was sure that it should generate automatically

ansible-rclone/README.md

Lines 154 to 171 in 2aec630

```yml
- name: Install and configure rclone
ansible.builtin.include_role:
name: stefangweichinger.ansible_rclone
vars:
rclone_configs:
- name: ExampleGoogleDriveRemote
properties:
type: drive
client_id: 12345
client_secret: 67890
- name: Restart rclone
ansible.builtin.systemd:
name: rclone.service
state: restarted
when: setup_rclone_config.changed
```

But on practice it doesn't with error

drive: failed when making oauth client: failed to create oauth client: empty token found - please run \"rclone config reconnect GoogleDriveRemote:\""

And it becomes to work after I generated token via rclone config reconnect GoogleDriveRemote:\ in web brouser. But it has dedicated expiry time that can be a problem.

So, how do you recommend me to work?

@stefangweichinger
Copy link
Owner

Sorry, I don't know. I don't use that feature, it came from another user in a PR I would have to look for. Maybe search the commits yourself ... I am busy right now.

@stefangweichinger
Copy link
Owner

look here: #133

maybe ask @tigattack

@mihalt
Copy link
Author

mihalt commented Apr 23, 2024

look here: #133

maybe ask @tigattack

And by the way, on my Ubuntu server service name is another

    - name: Restart rclone
      ansible.builtin.systemd:
        name: [email protected]
        state: restarted
      when: setup_rclone_config.changed

@tigattack
Copy link
Contributor

tigattack commented Apr 26, 2024

You can define a token property. In fact, you can define anything you wish in the properties dict. Each item in properties is simply iterated over and templated into rclone.conf (template here).

However, even though it is possible, you described the issue with this approach in your initial description:

But it has dedicated expiry time that can be a problem.

Interactive authentication is not something that this role supports and, unless you use a service account, Google Drive authentication is an interactive process. I would suggest you use service account authentication if you require the entire process to be hands-off.

@stefangweichinger
Copy link
Owner

is that still an issue?

@mihalt
Copy link
Author

mihalt commented Sep 29, 2024

@tigattack if you say that I can generate in any pc the token during rclone config and pass it to ansible with any expiration time and looks like it will work — that's true.

But if I pass empty data like this token: ' {"access_token":"","token_type":"","refresh_token":"","expiry":""}' — it doesn't work.

@tigattack
Copy link
Contributor

Sorry, I'm not clear on exactly what the problem is here. More detail would be great; as much info as possible on how you're using this role (including variable definitions with secrets obfuscated), what your goal is, and how you expect the end result to look and function.

@mihalt
Copy link
Author

mihalt commented Sep 30, 2024

Sorry, I'm not clear on exactly what the problem is here. More detail would be great; as much info as possible on how you're using this role (including variable definitions with secrets obfuscated), what your goal is, and how you expect the end result to look and function.

I just don't want to do any manual work to generate token. Would be nice just to pass this variables

rclone_configs:
  - name: ExampleGoogleDriveRemote
    properties:
      type: drive
      client_id: 12345
      client_secret: 67890

@tigattack
Copy link
Contributor

As far as I can tell, everything that you've shown so far is working as designed and documented.

  • Generating a token on your PC and passing it via Ansible is a good proof that such a method works.
  • Yes, passing empty data will indeed not work.
  • You want the process to be hands-off / no manual steps, which is why I recommended you use service account authentication in my comment above from April. The setup and usage process for this is covered quite comprehensively in rclone's documentation.

I hope I've understood the issue correctly, but please let me know if that's not the case.

@mihalt
Copy link
Author

mihalt commented Sep 30, 2024

  • service account authentication

do you mean variables something like this?

{
  "type": "service_account",
  "project_id": "my-project-id",
  "private_key_id": "abcdef1234567890abcdef1234567890abcdef12",
  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANB ... Y1TC6i69A=\n-----END PRIVATE KEY-----\n",
  "client_email": "[email protected]",
  "client_id": "123456789012345678901",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://oauth2.googleapis.com/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-service-account%40my-project-id.iam.gserviceaccount.com"
}

@tigattack
Copy link
Contributor

Exactly. I believe it would need to be passed in string form, though.

For example, this is one of mine:

rclone_configs:
  - name: "{{ rclone.remote_names.gmedia }}"
    properties:
      type: drive
      scope: drive
      service_account_credentials: "{{ (lookup('ansible.builtin.unvault', 'google_service_account.json')).strip() | string }}"

If not sourcing from an ansible-vault encrypted file, it would look something like this:

rclone_configs:
  - name: "{{ rclone.remote_names.gmedia }}"
    properties:
      type: drive
      scope: drive
      service_account_credentials: ' {"type":"service_account","project_id":"my-project-id","private_key_id":"abcdef1234567890abcdef1234567890abcdef12","private_key":"-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANB ... Y1TC6i69A=\n-----END PRIVATE KEY-----\n","client_email":"[email protected]","client_id":"123456789012345678901","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/my-service-account%40my-project-id.iam.gserviceaccount.com"}'

Note

As mentioned in the readme re. the token variable: Note that the space after the single quote ' for service_account_credentials is intentional in order to force this into a string. Otherwise, it will be interpreted as an object and have its double quotes be converted to single quotes within the config file which rclone cannot parse correctly.

@mihalt
Copy link
Author

mihalt commented Sep 30, 2024

Exactly. I believe it would need to be passed in string form, though.

For example, this is one of mine:

rclone_configs:
  - name: "{{ rclone.remote_names.gmedia }}"
    properties:
      type: drive
      scope: drive
      service_account_credentials: "{{ (lookup('ansible.builtin.unvault', 'google_service_account.json')).strip() | string }}"

If not sourcing from an ansible-vault encrypted file, it would look something like this:

rclone_configs:
  - name: "{{ rclone.remote_names.gmedia }}"
    properties:
      type: drive
      scope: drive
      service_account_credentials: ' {"type":"service_account","project_id":"my-project-id","private_key_id":"abcdef1234567890abcdef1234567890abcdef12","private_key":"-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANB ... Y1TC6i69A=\n-----END PRIVATE KEY-----\n","client_email":"[email protected]","client_id":"123456789012345678901","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/my-service-account%40my-project-id.iam.gserviceaccount.com"}'

Note

As mentioned in the readme re. the token variable: Note that the space after the single quote ' for service_account_credentials is intentional in order to force this into a string. Otherwise, it will be interpreted as an object and have its double quotes be converted to single quotes within the config file which rclone cannot parse correctly.

oh, looks like something complex. Looks like ganerating and saving of token is indeed more easy way. Thank you :)

@stefangweichinger
Copy link
Owner

can we close here? Anything from here to add to the README, maybe?

@tigattack
Copy link
Contributor

Yes I think this can be closed. Maybe it's possible that a change to the README could help avoid further confusion, but honestly I'm not sure what could be added/changed. Whilst the implementation is a little 'finnicky', I can't think of a better way to explain it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants