Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Which user account relates to repo ssh key defined by the variable BITBUCKET_GIT_SSH_ORIGIN?

Tim Apps
Tim Apps November 4, 2021

We are using Bitbucket Cloud with Pipelines. I am trying to implement a controlled access to the git repo from the Pipelines process. As such we have created a 'bot' user which has git repo write permissions across multiple branches. Following the guidance in serveral questions/articles such as:

.. I have created an ssh key for the repo and provided the public key to the bot user. When running the pipeline everything works as expected, which is great, however I do not understand how the pipeline script actually associates the bot user with the BITBUCKET_GIT_SSH_ORIGIN variable.

The relevant excerpt from my bitbucket-pipelines.yml looks like this:

custom:
  release-and-publish:
    - step:
        name: Build and test
        caches:
          - gradle
        script:
          - bash ./gradlew clean build
    - step:
        name: Git merge to master
        script:
          - git config remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"
          - git fetch
          - git checkout master
          - git merge ${BITBUCKET_BRANCH}
          - git remote set-url origin ${BITBUCKET_GIT_SSH_ORIGIN}
          - git push

 .. which results in the bot account 'BB' successfully performing the tasks.

Screenshot 2021-11-04 163603.png

My question is, how is the bot account associated with the ssh origin variable BITBUCKET_GIT_SSH_ORIGIN? The bot user account is the only account with write permission within the repo with access to the repo public key. My hypothesis is that the pipeline tries to look up repo write users with the appropriate public key.

If that is the case, a further question would then be, what would happen if I provided the repo public key to another user with repo write access, how would the pipeline then determine who is the resultant account which performs the git actions?

 

Answer
Watch
Like Be the first to like this
448 views

1 answer

1 accepted

1 vote
Answer accepted
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 5, 2021

Hi Tim,

The variable BITBUCKET_GIT_SSH_ORIGIN is not associated with any user.

If you use HTTPS to interact with a repo, the HTTPS URL can include your username if you set it that way, e.g.

https://my-Bitbucket-username@bitbucket.org/my-workspace/my-repo.git

However, SSH URLs look like that:

git@bitbucket.org:my-workspace/my-repo.git

When you use SSH, the user is determined by the SSH keys - we check if the public key is associated with a certain Bitbucket Cloud account, and if so, whether this account has appropriate permissions to the repo for the action that is performed.

For Pipelines specifically, if you have generated an SSH key pair from Repository settings, the private SSH key will be available during the Pipelines build. When you make a push from Pipelines, we check if the public key of this SSH key pair is associated with a Bitbucket user, and if this user has permission to push to this repo.

You can add the public key to a different user, but you'd need to remove it from the bot user first. A public SSH key cannot be associated with two Bitbucket accounts, because then we would not be able to identify who the authenticated user is. So, if another user tries to add this public SSH key to their account while the key is still associated with the bot user, they won't be able to.

If you have any further questions, please feel free to let me know.

Kind regards,
Theodora

View More Comments
Tim Apps
Tim Apps November 5, 2021

Hi Theodora,

Thank-you for the response. This makes sense to me - the key point I was missing, which you have clarified, is that a public SSH key generated with the Pipelines Repository settings cannot be associated with more than one Bitbucket account. So if the bot user has this public SSH key added to its account it cannot be added to another user account.

Many thanks for your time.

Regards, Tim

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events