I am repeatedly getting permission denied error although I have added my ssh keys in bitbucket.

Poonam Manwani September 8, 2021

Error message that I am getting
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.

1 answer

0 votes
Ben
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 9, 2021

G’day Poonam!

If you are getting this error message, it usually means that you may have your SSH keys installed locally but not within the context of the Bitbucket Cloud application which you are trying to access.
The specific error message which you have mentioned is covered within the following documentation but usually means your private key cannot authenticate with your public key stored in Bitbucket Cloud:
Troubleshoot SSH Issues 


There are a few places where SSH keys will reside:

  1. Local Level - this is on your local machine and is generated by using the ssh-keygen command within a terminal window. Both a public key and private key pair will be generated and both may be required  to successfully establish a connection depending on what you are trying to achieve with Bitbucket Cloud.
    This process is outlined in the following documentation:
    Setup an SSH Key 
  2. Account Level - this is where your public key can be stored and can be accessed through Personal Settings > SSH Key. The public key which is stored here will give full admin access to your account and the workspaces/repositories contained within. The private key is used to validate with the public key stored here before establishing a connection.
  3. Repository Level (Access Key) -  this is also where your public key can be stored to provide read-only access (for example: cloning a repository). This can be accessed through Repository Settings > Access Keys.
  4. Pipelines Level - this is where you pass the keys that you have into the Bitbucket Pipeline container which you are trying to run. You would access this via Repository Settings > Pipelines > SSH Keys.
    - If you require read-only access for pipelines (eg cloning), you would generate a new key pair in here, then copy this at the Repository Level defined above. This will establish two-way communication between pipelines and your repository.
    - If you require full read/write access for pipelines (eg cloning, pushing), you need to use the same key pair (both public and private) which you generated at the local level by clicking the “Use existing keys” button instead. There is full documentation linked above however to copy these keys you would perform the following commands (for public and private respectively) and paste these in:
    cat ~/.ssh/id_rsa.pub | pbcopy
    cat ~/.ssh/id_rsa | pbcopy
    NOTE: If you intend to use existing keys, you cannot have a passphrase configured on your SSH key - this will prevent you from connecting on pipelines. To remove the passphrase, it’s easiest to generate a new SSH key pair and follow steps above.

    To verify if it is an issue specifically with your currently configured keys/SSH access, please run the following command below:
    ssh -T git@bitbucket.org 
    NOTE: As this is a public post, please make sure you don’t include your real account name in your reply.

Please feel free to reach out if you have any further questions.

Cheers!

Ben

Gerrit Germis March 8, 2022

Using runner version 1.301

I generated an SSH keypair for repository X (under pipeline -> SSH keys)

I added the public key of that pair to repository Y (under access keys).. so as I understand, this will allow me to pull from the repository using the private key

Repository X is a ruby project which uses rubygems to refer to repository Y

gem 'y', git: 'git@bitbucket.org:us/y.git'

Then during the bundle install I get the following error (permission denied)

#13 [build 4/5] RUN bundle install
#13 0.446 Fetching git@bitbucket.org:us/y.git
#13 0.809 Warning: Permanently added the RSA host key for IP address '104.192.141.1' to the list of known hosts.
#13 0.809 Permission denied (publickey).
#13 0.809 fatal: Could not read from remote repository.
#13 0.809
#13 0.809 Please make sure you have the correct access rights
#13 0.809 and the repository exists.
#13 0.809
#13 0.809 Retrying `git clone 'git@bitbucket.org:us/y.git' "/usr/local/bundle/cache/bundler/git/y-baf6ba6507685bbba040117b4db444b8f4a2bf72" --bare --no-hardlinks --quiet` due to error (2/4): Bundler::Source::Git::GitCommandError Git error: command `git clone 'git@bitbucket.org:us/y.git' "/usr/local/bundle/cache/bundler/git/y-baf6ba6507685bbba040117b4db444b8f4a2bf72" --bare --no-hardlinks --quiet` in directory /usr/app has failed.Permission denied (publickey).
#13 1.174 fatal: Could not read from remote repository.
#13 1.174
#13 1.174 Please make sure you have the correct access rights
#13 1.174 and the repository exists.
#13 1.174
#13 1.174 Retrying `git clone 'git@bitbucket.org:us/y.git' "/usr/local/bundle/cache/bundler/git/y-baf6ba6507685bbba040117b4db444b8f4a2bf72" --bare --no-hardlinks --quiet` due to error (3/4): Bundler::Source::Git::GitCommandError Git error: command `git clone 'git@bitbucket.org:us/y.git' "/usr/local/bundle/cache/bundler/git/y-baf6ba6507685bbba040117b4db444b8f4a2bf72" --bare --no-hardlinks --quiet` in directory /usr/app has failed.Permission denied (publickey).
#13 1.536 fatal: Could not read from remote repository.
#13 1.536
#13 1.536 Please make sure you have the correct access rights
#13 1.536 and the repository exists.
#13 1.536
#13 1.536 Retrying `git clone 'git@bitbucket.org:us/y.git' "/usr/local/bundle/cache/bundler/git/y-baf6ba6507685bbba040117b4db444b8f4a2bf72" --bare --no-hardlinks --quiet` due to error (4/4): Bundler::Source::Git::GitCommandError Git error: command `git clone 'git@bitbucket.org:us/y.git' "/usr/local/bundle/cache/bundler/git/y-baf6ba6507685bbba040117b4db444b8f4a2bf72" --bare --no-hardlinks --quiet` in directory /usr/app has failed.Permission denied (publickey).
#13 1.903 fatal: Could not read from remote repository.
#13 1.903
#13 1.903 Please make sure you have the correct access rights
#13 1.903 and the repository exists.
#13 1.904
#13 1.909 Git error: command `git clone
#13 1.909 'git@bitbucket.org:us/y.git'
#13 1.909 "/usr/local/bundle/cache/bundler/git/y-baf6ba6507685bbba040117b4db444b8f4a2bf72"
#13 1.909 --bare --no-hardlinks --quiet` in directory /usr/app has failed.
#13 ERROR: executor failed running [/bin/sh -c bundle install]: exit code: 11

I can verify that the private key is injected into the runner onder /tmp as you mentioned. How can I have the pipeline use this private key by default when trying to pull from the private repo?

Thanks in advance

Ben
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 14, 2022

Hey Poonam,

The error that you are receiving appears to indicate that the public key between your Pipelines SSH and Account-Level SSH does not match. This is because Pipelines will authenticate any keys contained within its settings against your account-level SSH.
Can you please access Personal Settings > SSH Keys and ensure that the key here is copied into and is the same as in Repository Settings > Pipelines SSH?

Cheers

- Ben (Bitbucket Cloud Support)

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events