Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,501,443
Community Members
 
Community Events
180
Community Groups

Use SSH private key as repository secret variable

Edited
Mike Pham
Mike Pham Jun 21, 2021

Hi,

I'm trying to set my SSH private key as a secret variable of my repository. The SSH key is in this format

-----BEGIN OPENSSH PRIVATE KEY-----
AAAAAAAAAAAAAAAAAAAAA....

AAAAAAAAAAAAAAAAAAAAA....

....
-----END OPENSSH PRIVATE KEY-----

The key doesn't register correctly because (I think) it spans across multiple lines and BitBucket only supports single line variables (again, I think).

I'm not sure if I'm missing something obvious, but can I use my ssh private key as a secret variable?

Currently I'm using a workaround which is to base64 encode it

cat ~/.ssh/id_rsa | base64

and then use that string as the private variable. However, there's a big issue with this approach: someone can make a new sneaky commit when I don't notice and steal my private key by adding this line to the pipeline

echo $PRIVATE_KEY_B64 | base64 --decode

 

Thanks,

Mike

Answer
Watch
Like Be the first to like this
2288 views

1 answer

0 votes
Theodora Boudale
Theodora Boudale Atlassian Team Jun 25, 2021

Hi Mike and welcome to the community.

You are correct that Pipelines does not currently support line breaks in environment variables, which is the reason why a private SSH key needs to be encoded in order to be added as a variable.

There is a risk associated indeed; when you set up SSH in Pipelines for a Bitbucket repository (either using a variable or using the SSH keys page in the Repository settings), all users with write access to the repo will have access to the remote host.

I am quoting from our documentation, specifically for using SSH keys as a secured variable:

There are security risks associated with passing private SSH keys as repository variables:

  • Repository variables get copied to child processes that your pipelines build may spawn.
  • Secured variables can be retrieved by all users with write access to a repository.

We recommend that you never pass your own personal SSH key as an repository variable, but instead generate a new SSH key-pair for Pipelines that easily be disabled if it is compromised. It may also be worth using deployment variables, which you can combine with deployment permissions to control access.

If you don't want users with write access to the repo to be able to access the SSH key, you can use deployments, define the SSH key as a deployment variable and then use the option "Only allow admins to deploy to this environment" for this deployment environment (this is available for workspaces on the Premium plan).

In this case, if a non-admin triggers a deployment, the build will get paused. This way, admins can review the commits made and then manually resume the build or decide not to run it.

You can read more about this in the following blog post:

Kind regards,
Theodora

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

See all events