Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,456,406
Community Members
 
Community Events
176
Community Groups

Pulling private repositories inside pipelines

Hi,

I'm evaluating the integration of Bitbucket pipelines to our git workflow for my organization. We have a private repository which is dependent on a couple of other private repositories to generate a build for deployment. We use SSH keys to access our repositories and I also have a pair of keys with read access ready for the pipeline. Can I get some guidance on how to integrate these keys within the pipeline so that I can have a build?

3 answers

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

7 votes
Answer accepted

In order for the build agent to clone the submodules, you can give it SSH access to your Bitbucket account. 
Information on generating an SSH key can be found here: https://confluence.atlassian.com/display/BITBUCKET/Add+an+SSH+key+to+an+account

Set the following commands as the first ones in the step section of your bitbucket-pipelines.yml:

- mkdir ~/.ssh
- echo $SSH_KEY > ~/.ssh/id_rsa.tmp # note: assumes base64 encoded ssh key without a passphrase
- base64 -d ~/.ssh/id_rsa.tmp > ~/.ssh/id_rsa
- chmod 600 ~/.ssh/id_rsa
- base64 ~/.ssh/id_rsa

Note in this example the SSH key is base64 encoded to preserve new line characters and stored in a secured Pipelines variable named "SSH_KEY".

what if I don't want to commit a ssh-key with write access in the repo ?

Answering my own question: you can setup a "deployment key" in Bitbucket which only has read-access to the repo

And you can setup ENV VAR via the Bitbucket interface no need to commit it smile

https://confluence.atlassian.com/display/BITBUCKET/Environment+variables+in+Bitbucket+Pipelines

In addition to that I had to add the following line for SSH not to verify host keys

- 'echo -e "Host *\n StrictHostKeyChecking no\n UserKnownHostsFile=/dev/null" > ~/.ssh/config'

Strangely enough Pipeline does not  recognize bitbucket.org's SSH keys by default.

I added Bitbucket as a known host as per a question in this FAQ instead of stopping StrictHostKeyChecking - https://confluence.atlassian.com/bitbucket/bitbucket-pipelines-faq-827104769.html

Code block I used

- echo "bitbucket.org,104.192.143.2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==" >> /root/.ssh/known_hosts
Like Jeroen De Raedt likes this
1 vote

See also:

https://answers.atlassian.com/questions/39243415 (specifically targeted at the issue of cloning private repositories)

and

https://answers.atlassian.com/questions/39429257 (more general info on setting up ssh public-key auth for use in Pipelines)

 

TAGS

Atlassian Community Events