How can I use SSH in Bitbucket Pipelines?

I would like to use SSH in Bitbucket Pipelines to clone another repository from Bitbucket.

5 answers

2 accepted

For a slightly more general guide for using ssh and ssh-based tools from a pipeline (not just for cloning another Bitbucket repository) see this other question:

https://answers.atlassian.com/questions/39429257

It is similar to Philip's answer but also covers server key fingerprints and uploading your public key to other types of servers.

How do you actually use that key in a command?


The keys are injected into your build and should be available to commands that need them (in a similar way to how it would run locally).

Note that you'll still need to add the corresponding public key to whichever service you're trying to contact.

Yeah ive dropped the pipeline pub key onto my server in .ssh/authorized_keys

A simple "ssh -i user@domain.com" doesn't work

Ill keep trying

What error message are you getting? Key not found, or authentication errors?

@Elliot Borstthe -i option let you change the default key but you don't specify any file. You should remove this option.

"ssh root@server.domain.com  Pseudo-terminal will not be allocated because stdin is not a terminal.Host key verification failed."  

 

The pub key is on the other box, I can ssh fine from my Mac, I can see the connection come through our firewall ok.  Seems like pipelines isn't sending the private key with my command

Oh I worked it out, I wasn't actually adding the known host after doing the lookup.

Pseudo-terminal will not be allocated because stdin is not a terminal

take a look on ssh -t option if necessary

3 votes

There's a few steps required to do this.

First, you need to generate a key-pair to use for Bitbucket.

Generate a new SSH key-pair for use in Bitbucket. 

$ ssh-keygen -t rsa -b 4096 -C "

Do not use a passphrase, when prompted.

Once you have generated the key-pair, add the public key to your account:

https://confluence.atlassian.com/display/BITBUCKET/Add+an+SSH+key+to+an+account

If you already had an SSH key, and skipped the set up, start reading from here.

Now, we can set up SSH in Bitbucket Pipelines:

First, we will add the SSH key as an environment variable.

As of right now, Pipelines does not support line breaks in the environment variable, so we need to encode the private key first:

$ base64 <path>/<to>/id_rsa | pbcopy # probably path is ~/.ssh/id_rsa

Now create a secured environment variable in Bitbucket Pipelines called PRIVATE_KEY, with the contents of the base64 encoded private key:

https://confluence.atlassian.com/display/BITBUCKET/Environment+variables+in+Bitbucket+Pipelines

Now, create a bitbucket-pipelines.yml with the following content (I can't find the original source of this example sorry, share if you know smile):

# You can use a Docker image from Docker Hub or your own container
# registry for your build environment.
pipelines:
  default:
    - step:
        script: # Modify the commands below to build your repository.
          - echo $PRIVATE_KEY > ~/.ssh/id_rsa.tmp
          - base64 -d ~/.ssh/id_rsa.tmp > ~/.ssh/id_rsa
          - chmod 600 ~/.ssh/id_rsa
          - base64 ~/.ssh/id_rsa
          - git clone git@bitbucket.org:<account_name>/<repo_name>.git

You should see that the build successfully cloned your repository.

Troubleshooting

Q: The clone asks for a passphrase:

A: There are two things you should double check. When you created the SSH key-pair, did you create them without a passphrase? (If there's a passphrase, things get much more complicated than expected). If you did not have a passphrase, double check that the key (the private key) you have stored is base64 encoded.

 This line is superfluous and can be deleted: 
- base64 ~/.ssh/id_rsa

 

I added the above to my config file but on the first statement, echo $PRIVATE_KEY > ~/.ssh/id_rsa.tmp, I received the following: bash: /root/.ssh/id_rsa.tmp: No such file or directory

Add this statement before you echo the PRIVATE_KEY:

mkdir ~/.ssh

Does that help? smile

Maybe this will help... I have configured the  SSH key-pair without passphrase but when i tried to clone the repo with the above code i get the the request to enter some passphrase . For me the solution was to add -i to the command that write the key   . I dont know why i have this behavior. The encoding was done with version  8.25 and decoded with 8.21.

base64 -d  -i ~/.ssh/id_rsa.tmp > ~/.ssh/id_rsa

after running
git clone git@bitbucket.org:account_name/repo_name.git

+ git clone git@bitbucket.org:account_name/repo_name.git
Cloning into 'repo_name'...
The authenticity of host 'bitbucket.org (104.192.143.3)' can't be established.
RSA key fingerprint is 97:8c:1b:f2:6f:14:6b:5c:3b:ec:aa:46:46:74:7c:40.
Are you sure you want to continue connecting (yes/no)?

and can't do anything else

try this : 

 - ssh-keyscan bitbucket.org >> ~/.ssh/known_hosts

That will work, but it's not very secure (it's essentially bypassing host key checking because the key scan is performed on every build). A better option is to do the key scan just once locally and then include the full host key in your script or add a known_hosts file to your repository. That way your build will fail if the host key changes (which would indicate a potential security issue). You can find more details in step 4 of the following answer: How do I set up ssh public-key authentication so that I can use ssh, sftp or scp from my Bitbucket Pipelines pipeline?

Great, this worked. Thanks! 

0 votes

I'm attempting to use `npm` packages installed from private repositories in the same team account as the pipelines repo is running. I tried the steps for adding ssh but no luck any advice?

Screenshot 2018-01-02 21.00.48.png

Suggest an answer

Log in or Join to answer
Community showcase
Piotr Plewa
Published Dec 27, 2017 in Bitbucket

Recipe: Deploying AWS Lambda functions with Bitbucket Pipelines

Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda&nbsp...

659 views 0 4
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot