Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,363,761
Community Members
 
Community Events
168
Community Groups

Use multiple SSH keys in your pipeline: Host key verification failed error

Edited

Hello,

I am trying to use a second ssh key in my build pipeline which is using git ls-remote to pull nodejs classes from Repo B to Repo A (the build repo). 

I am getting this error:

“Host key verification failed.

    fatal: Could not read from remote repository.

   Please make sure you have the correct access rights and the repository    exists.”

 

I referred to these questions for  answers and nothing worked for me:

https://community.atlassian.com/t5/Bitbucket-questions/Pulling-a-private-repo-from-bitbucket-in-pipelines/qaq-p/1345649

https://community.atlassian.com/t5/Bitbucket-questions/How-can-I-use-SSH-in-Bitbucket-Pipelines/qaq-p/347345

https://community.atlassian.com/t5/Answers-Developer-Questions/Pulling-private-repositories-inside-pipelines/qaq-p/468574

 

I also referred to this tutorial in the documentation :

https://support.atlassian.com/bitbucket-cloud/docs/variables-and-secrets/ (Section: Use multiple SSH keys in your pipeline)

to SUM up what I did so far:

  • Generated an ssh key
  • Encoded the ssh key to base64
  • added the encoded key to repository variables in the build repository
  • Added the public key as an access key to the repo B that I'm trying to pull the classes from.
  • Added bitbucket.org as a known_host in the build repository.

Please find attached my pipeline file:

 

image: mcr.microsoft.com/azure-cli
options:
docker: true
pipelines:
branches:
master:
- step:
name: Build and push
deployment: Develop
script:
- whoami
- echo $HOME
# Add bitbucket to known hosts manually even though I added it at the pipeline settings
- echo "bitbucket.org,104.192.143.2 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==" > /root/.ssh/known_hosts
- ssh-keyscan -t rsa bitbucket.org > my_known_hosts
- cat my_known_hosts >> ~/.ssh/known_hosts
# Cancel host verification (In a desperate step to bypass the error)
- 'echo -e "Host *\n StrictHostKeyChecking no\n UserKnownHostsFile=/dev/null" > ~/.ssh/config'
# Decode private key
- (umask 077 ; echo $SSH_SECOND_KEY | base64 -d > ~/.ssh/id_rsa)
#Build the docker image, THE ERROR happens here since I am building yarn here
- docker build -t $CR_ACR_HOSTNAME/$ACR_REPOSITORY_NAME:$BITBUCKET_COMMIT -t $CR_ACR_HOSTNAME/$ACR_REPOSITORY_NAME:$BITBUCKET_BUILD_NUMBER .
- az login --service-principal --username $CR_APP_ID --password $CR_APP_PASSWORD --tenant $CR_AD_TENANT_ID
- az acr login -n $CR_ACR_NAME
- docker push $CR_ACR_HOSTNAME/$ACR_REPOSITORY_NAME
- cd helm
- git submodule update --init --recursive
- git checkout $BITBUCKET_DEPLOYMENT_ENVIRONMENT
- git branch && ls -al
- sed -i "s/tag.*/tag\:\ $BITBUCKET_COMMIT/" helms/$BITBUCKET_REPO_SLUG/values.yaml
- git add helms/$BITBUCKET_REPO_SLUG/values.yaml
- git config --global user.email "ci-cd@company.com"
- git commit -m "$BITBUCKET_REPO_SLUG upgraded with commit $BITBUCKET_TAG on $BITBUCKET_DEPLOYMENT_ENVIRONMENT environment"
- git push origin $BITBUCKET_DEPLOYMENT_ENVIRONMENT
services:
- docker

definitions:
services:
docker:
memory: 3070
 

 

Thank you!

1 answer

1 accepted

1 vote
Answer accepted

Hi @Mohamed BELLAKHAL,

Checking your yml file, I see that you are not cloning any repo in the script, but you mention that this command fails:

- docker build -t $CR_ACR_HOSTNAME/$ACR_REPOSITORY_NAME:$BITBUCKET_COMMIT -t $CR_ACR_HOSTNAME/$ACR_REPOSITORY_NAME:$BITBUCKET_BUILD_NUMBER .

I assume that you have a Dockerfile in your repo that you are building, and you have a command to clone a repo in the Dockerfile?

If so, you will need to pass the SSH key to the docker build command and the known_hosts file also needs to be created in the Dockerfile.

I share below the steps that worked for me:

1. I created a secured variable named SSH_KEY in the repo where I build the Dockerfile.
The value of this variable is the private SSH key after I encoded it to base64.
The public key was added to the repo I want to clone.

2. In my bitbucket-pipelines.yml I build the Dokcerfile with the following command:

- docker build -t account/repo . --build-arg ssh_docker_key="${SSH_KEY}"

3. My Dockerfile includes the following lines:

ARG ssh_docker_key
RUN mkdir /root/.ssh/
RUN echo "$ssh_docker_key" | base64 --decode > /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
RUN touch /root/.ssh/known_hosts
RUN ssh-keyscan bitbucket.org > /root/.ssh/known_hosts
RUN git clone git@bitbucket.org:some-workspace/some-repo.git /home/app

Is this something that works for you?

Kind regards,
Theodora

Hello Theodora,

Yes your solution did the job for me. Thanks a lot!

Best Regards, Mohamed

Hi Mohamed,

That's good to hear and you are very welcome.

Please feel free to reach out if you ever need anything else!

Kind regards,
Theodora

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events