stefangweichinger
Automatical creation of token
Hi! As I see from your docs, I can not to define token property. I was sure that it should generate automatically
https://github.com/stefangweichinger/ansible-rclone/blob/2aec630547fe4e49dfee244cd3a1c094a2e5faef/README.md?plain=1#L154-L171
But on practice it doesn't with error
drive: failed when making oauth client: failed to create oauth client: empty token found - please run \"rclone config reconnect GoogleDriveRemote:\""
And it becomes to work after I generated token via rclone config reconnect GoogleDriveRemote:\ in web brouser. But it has dedicated expiry time that can be a problem.
So, how do you recommend me to work?
Sorry, I don't know. I don't use that feature, it came from another user in a PR I would have to look for. Maybe search the commits yourself ... I am busy right now.
look here: https://github.com/stefangweichinger/ansible-rclone/pull/133
maybe ask @tigattack
look here: #133
maybe ask @tigattack
And by the way, on my Ubuntu server service name is another
- name: Restart rclone
ansible.builtin.systemd:
name: [email protected]
state: restarted
when: setup_rclone_config.changed
You can define a token property. In fact, you can define anything you wish in the properties dict. Each item in properties is simply iterated over and templated into rclone.conf (template here).
However, even though it is possible, you described the issue with this approach in your initial description:
But it has dedicated expiry time that can be a problem.
Interactive authentication is not something that this role supports and, unless you use a service account, Google Drive authentication is an interactive process. I would suggest you use service account authentication if you require the entire process to be hands-off.
@tigattack if you say that I can generate in any pc the token during rclone config and pass it to ansible with any expiration time and looks like it will work — that's true.
But if I pass empty data like this token: ' {"access_token":"","token_type":"","refresh_token":"","expiry":""}' — it doesn't work.
Sorry, I'm not clear on exactly what the problem is here. More detail would be great; as much info as possible on how you're using this role (including variable definitions with secrets obfuscated), what your goal is, and how you expect the end result to look and function.
Sorry, I'm not clear on exactly what the problem is here. More detail would be great; as much info as possible on how you're using this role (including variable definitions with secrets obfuscated), what your goal is, and how you expect the end result to look and function.
I just don't want to do any manual work to generate token. Would be nice just to pass this variables
rclone_configs:
- name: ExampleGoogleDriveRemote
properties:
type: drive
client_id: 12345
client_secret: 67890
As far as I can tell, everything that you've shown so far is working as designed and documented.
- Generating a token on your PC and passing it via Ansible is a good proof that such a method works.
- Yes, passing empty data will indeed not work.
- You want the process to be hands-off / no manual steps, which is why I recommended you use service account authentication in my comment above from April. The setup and usage process for this is covered quite comprehensively in rclone's documentation.
I hope I've understood the issue correctly, but please let me know if that's not the case.
- service account authentication
do you mean variables something like this?
{
"type": "service_account",
"project_id": "my-project-id",
"private_key_id": "abcdef1234567890abcdef1234567890abcdef12",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANB ... Y1TC6i69A=\n-----END PRIVATE KEY-----\n",
"client_email": "[email protected]",
"client_id": "123456789012345678901",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/my-service-account%40my-project-id.iam.gserviceaccount.com"
}
Exactly. I believe it would need to be passed in string form, though.
For example, this is one of mine:
rclone_configs:
- name: "{{ rclone.remote_names.gmedia }}"
properties:
type: drive
scope: drive
service_account_credentials: "{{ (lookup('ansible.builtin.unvault', 'google_service_account.json')).strip() | string }}"
If not sourcing from an ansible-vault encrypted file, it would look something like this:
rclone_configs:
- name: "{{ rclone.remote_names.gmedia }}"
properties:
type: drive
scope: drive
service_account_credentials: ' {"type":"service_account","project_id":"my-project-id","private_key_id":"abcdef1234567890abcdef1234567890abcdef12","private_key":"-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANB ... Y1TC6i69A=\n-----END PRIVATE KEY-----\n","client_email":"[email protected]","client_id":"123456789012345678901","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/my-service-account%40my-project-id.iam.gserviceaccount.com"}'
[!NOTE] As mentioned in the readme re. the
tokenvariable: Note that the space after the single quote'forservice_account_credentialsis intentional in order to force this into a string. Otherwise, it will be interpreted as an object and have its double quotes be converted to single quotes within the config file whichrclonecannot parse correctly.
Exactly. I believe it would need to be passed in string form, though.
For example, this is one of mine:
rclone_configs: - name: "{{ rclone.remote_names.gmedia }}" properties: type: drive scope: drive service_account_credentials: "{{ (lookup('ansible.builtin.unvault', 'google_service_account.json')).strip() | string }}"If not sourcing from an ansible-vault encrypted file, it would look something like this:
rclone_configs: - name: "{{ rclone.remote_names.gmedia }}" properties: type: drive scope: drive service_account_credentials: ' {"type":"service_account","project_id":"my-project-id","private_key_id":"abcdef1234567890abcdef1234567890abcdef12","private_key":"-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANB ... Y1TC6i69A=\n-----END PRIVATE KEY-----\n","client_email":"[email protected]","client_id":"123456789012345678901","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://oauth2.googleapis.com/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_x509_cert_url":"https://www.googleapis.com/robot/v1/metadata/x509/my-service-account%40my-project-id.iam.gserviceaccount.com"}'Note
As mentioned in the readme re. the
tokenvariable: Note that the space after the single quote'forservice_account_credentialsis intentional in order to force this into a string. Otherwise, it will be interpreted as an object and have its double quotes be converted to single quotes within the config file whichrclonecannot parse correctly.
oh, looks like something complex. Looks like ganerating and saving of token is indeed more easy way. Thank you :)