Ref https://support.atlassian.com/bitbucket-cloud/docs/push-back-to-your-repository/
I have created a pipeline SSH key - which is used for git submodules in the repo - I created this key myself earlier today, noone else than my tasks are using this key - https://bitbucket.org/MY_COMPANY/MY_REPO_HERE/admin/addon/admin/pipelines/ssh-keys
I try to add this pipeline public SSH key to my bitbucket account, https://bitbucket.org/account/settings/ssh-keys/
I then get this message:
my git push --tags then of course fails..
Part of my pipeline yml file below - but this fails before getting that far..
- step:
name: git tag
script:
- git remote set-url origin ${BITBUCKET_GIT_SSH_ORIGIN}
- git tag v$BITBUCKET_BUILD_NUMBER
- git push --tags
Hi @Gunnar Pedersen,
An SSH key can be added as an Access Key to as many Bitbucket Cloud repos as you want. However, it is not possible to add an SSH key both as an Access key to a repo and also to the personal SSH keys of an account.
The error you see when you try to add this SSH key to your account indicates that this key is already added as an Access Key to a repository.
An Access key provides read-only access to repos, so you won't be able to push with it.
What you can do is remove this Access Key from each repository where you have added it by going to each repository's Repository settings > Acces keys. You will then be able to add it to your account's SSH keys.
If you face any issues or if you have any questions, please feel free to reach out.
Kind regards,
Theodora
Thanks for feedback Theodora.
I checked out on another repo - and I got my git tagging going there. But for the repo in question I feel that I get into a "chicken and egg" situation. The problem is that my repo has a number of git submodules that I need to fetch/update before I can start my build process. And to allow my repo to do "git submodule update --init" I need to use repo access keys in these subrepos: ref https://stackoverflow.com/questions/53121955/how-to-use-git-submodules-with-bitbucket-pipelines
Then I have to choose between using git submodules (which allows my to build my software), or git tag - but not both?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Gunnar Pedersen,
You can remove the SSH key from the Access keys of the submodule repos and add it to your account. If all the submodule repos are hosted in Bitbucket Cloud, and if your account has access to all of them, then both the submodule update and the push in the next step should succeed.
We recommend using Access keys with submodules if you need read-only access in order to clone the submodules. However, it is also possible for submodules to be updated if the public SSH key is added:
The first option (adding the SSH key to an account) is useful if you have branch restrictions that allow pushing only to certain accounts (this is relevant for the second step where you push).
The second option (adding the SSH key to a workspace) can be used if you don't have branch restrictions to the repo where you want to push, and if all the repos you are cloning/pushing to belong to the same workspace.
The submodules will get updated in both cases.
Please feel free to let me know how it goes and if you have any other questions!
Kind regards,
Theodora
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
allo again Theodora, and thanks a lot for your quick followup :-)
But I do not quite follow you, I am not sure if my account is required when compiling the software in a pipeline?
yes all the submodules are hosted in the bitbucket cloud, and yes I do have access to all the submodules from my personal account. But does that mean that the "bitbucket pipeline" job also have access to these subrepos?
I do not need to modify the submodules - only to fetch/clone them to allow my current git repo to compile.
I tried removing the ssh keys from each of the submodules repo's - and my git submodule init then failed...
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @Gunnar Pedersen,
There is actually another simpler solution, that I missed earlier:
Use the public SSH key in the Access keys of the submodules so you can clone them.
Then, remove the following line from the second step of your yml file:
- git remote set-url origin ${BITBUCKET_GIT_SSH_ORIGIN}
If you remove this line, the git push command (that pushes tags) will use the HTTPS origin and you won't need to provide authentication details to push back to the repo where the build is running.
Below, I am providing more details on why what you described in your last reply did not work (you don't have to use the solution detailed below, unless for some reason you want to push back to the repo via SSH):
If you have generated an SSH key pair from Repository settings > SSH keys, this key pair is going to be used by default if you try to clone other Bitbucket repos via SSH or push back to the repo via SSH where the build is running.
If the public key from this SSH key pair is not added anywhere, you won't be able to clone submodules via SSH (first step of your pipeline) or push via SSH to the repo where the build is running (second step of your pipeline).
If the public key is added as an Access key to the submodules, you will be able to clone the submodules (first step of your pipeline) but you won't be able push via SSH to the repo where the build is running (second step of your pipeline). The same SSH key pair will be used for authentication in both steps.
If you add the public key
then both steps should succeed. You need to add the public key to one of these two places if you want to use SSH, otherwise, authentication will fail.
Please keep in mind that if you do that, the pipeline should be able to access
This is applicable if you want to use SSH.
Kind regards,
Theodora
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Finally I got it going!
I had to put back the SSH keys that I first removed (ref initial reply) - which made the git submodules init work OK again.
And then remove the line about remote origin making the git push work
Thanks for assitance, and thanks for extras on detailed solutions, which might be relevant for my next steps
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
That's good to hear, thank you for the update!
I also wanted to add that the second solution with SSH will work if you use the SSH origin
- git remote set-url origin ${BITBUCKET_GIT_SSH_ORIGIN}
I just wanted to clarify that as well, in case you ever want to use the second solution in a different step of the repo or in another repo.
Please feel free to reach out if you ever need anything else!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.