Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Which user account relates to repo ssh key defined by the variable BITBUCKET_GIT_SSH_ORIGIN?

Edited

We are using Bitbucket Cloud with Pipelines. I am trying to implement a controlled access to the git repo from the Pipelines process. As such we have created a 'bot' user which has git repo write permissions across multiple branches. Following the guidance in serveral questions/articles such as:

.. I have created an ssh key for the repo and provided the public key to the bot user. When running the pipeline everything works as expected, which is great, however I do not understand how the pipeline script actually associates the bot user with the BITBUCKET_GIT_SSH_ORIGIN variable.

The relevant excerpt from my bitbucket-pipelines.yml looks like this:

custom:
release-and-publish:
- step:
name: Build and test
caches:
- gradle
script:
- bash ./gradlew clean build
- step:
name: Git merge to master
script:
- git config remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"
- git fetch
- git checkout master
- git merge ${BITBUCKET_BRANCH}
- git remote set-url origin ${BITBUCKET_GIT_SSH_ORIGIN}
- git push

 .. which results in the bot account 'BB' successfully performing the tasks.

Screenshot 2021-11-04 163603.png

My question is, how is the bot account associated with the ssh origin variable BITBUCKET_GIT_SSH_ORIGIN? The bot user account is the only account with write permission within the repo with access to the repo public key. My hypothesis is that the pipeline tries to look up repo write users with the appropriate public key.

If that is the case, a further question would then be, what would happen if I provided the repo public key to another user with repo write access, how would the pipeline then determine who is the resultant account which performs the git actions?

 

1 answer

1 accepted

1 vote
Answer accepted

Hi Tim,

The variable BITBUCKET_GIT_SSH_ORIGIN is not associated with any user.

If you use HTTPS to interact with a repo, the HTTPS URL can include your username if you set it that way, e.g.

https://my-Bitbucket-username@bitbucket.org/my-workspace/my-repo.git

However, SSH URLs look like that:

git@bitbucket.org:my-workspace/my-repo.git

When you use SSH, the user is determined by the SSH keys - we check if the public key is associated with a certain Bitbucket Cloud account, and if so, whether this account has appropriate permissions to the repo for the action that is performed.

For Pipelines specifically, if you have generated an SSH key pair from Repository settings, the private SSH key will be available during the Pipelines build. When you make a push from Pipelines, we check if the public key of this SSH key pair is associated with a Bitbucket user, and if this user has permission to push to this repo.

You can add the public key to a different user, but you'd need to remove it from the bot user first. A public SSH key cannot be associated with two Bitbucket accounts, because then we would not be able to identify who the authenticated user is. So, if another user tries to add this public SSH key to their account while the key is still associated with the bot user, they won't be able to.

If you have any further questions, please feel free to let me know.

Kind regards,
Theodora

Hi Theodora,

Thank-you for the response. This makes sense to me - the key point I was missing, which you have clarified, is that a public SSH key generated with the Pipelines Repository settings cannot be associated with more than one Bitbucket account. So if the bot user has this public SSH key added to its account it cannot be added to another user account.

Many thanks for your time.

Regards, Tim

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

📣 Calling Bitbucket Data Center customers to participate in research

Hi everyone, Are you Bitbucket DC customer? If so, we'd love to talk to you! Our team wants to dive deep to understand your long-term plans regarding Bitbucket DC and Atlassian Cloud. Do you plan...

182 views 2 4
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you