Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,360,224
Community Members
 
Community Events
168
Community Groups

Which user account relates to repo ssh key defined by the variable BITBUCKET_GIT_SSH_ORIGIN?

Edited

We are using Bitbucket Cloud with Pipelines. I am trying to implement a controlled access to the git repo from the Pipelines process. As such we have created a 'bot' user which has git repo write permissions across multiple branches. Following the guidance in serveral questions/articles such as:

.. I have created an ssh key for the repo and provided the public key to the bot user. When running the pipeline everything works as expected, which is great, however I do not understand how the pipeline script actually associates the bot user with the BITBUCKET_GIT_SSH_ORIGIN variable.

The relevant excerpt from my bitbucket-pipelines.yml looks like this:

custom:
release-and-publish:
- step:
name: Build and test
caches:
- gradle
script:
- bash ./gradlew clean build
- step:
name: Git merge to master
script:
- git config remote.origin.fetch "+refs/heads/*:refs/remotes/origin/*"
- git fetch
- git checkout master
- git merge ${BITBUCKET_BRANCH}
- git remote set-url origin ${BITBUCKET_GIT_SSH_ORIGIN}
- git push

 .. which results in the bot account 'BB' successfully performing the tasks.

Screenshot 2021-11-04 163603.png

My question is, how is the bot account associated with the ssh origin variable BITBUCKET_GIT_SSH_ORIGIN? The bot user account is the only account with write permission within the repo with access to the repo public key. My hypothesis is that the pipeline tries to look up repo write users with the appropriate public key.

If that is the case, a further question would then be, what would happen if I provided the repo public key to another user with repo write access, how would the pipeline then determine who is the resultant account which performs the git actions?

 

1 answer

1 accepted

1 vote
Answer accepted

Hi Tim,

The variable BITBUCKET_GIT_SSH_ORIGIN is not associated with any user.

If you use HTTPS to interact with a repo, the HTTPS URL can include your username if you set it that way, e.g.

https://my-Bitbucket-username@bitbucket.org/my-workspace/my-repo.git

However, SSH URLs look like that:

git@bitbucket.org:my-workspace/my-repo.git

When you use SSH, the user is determined by the SSH keys - we check if the public key is associated with a certain Bitbucket Cloud account, and if so, whether this account has appropriate permissions to the repo for the action that is performed.

For Pipelines specifically, if you have generated an SSH key pair from Repository settings, the private SSH key will be available during the Pipelines build. When you make a push from Pipelines, we check if the public key of this SSH key pair is associated with a Bitbucket user, and if this user has permission to push to this repo.

You can add the public key to a different user, but you'd need to remove it from the bot user first. A public SSH key cannot be associated with two Bitbucket accounts, because then we would not be able to identify who the authenticated user is. So, if another user tries to add this public SSH key to their account while the key is still associated with the bot user, they won't be able to.

If you have any further questions, please feel free to let me know.

Kind regards,
Theodora

Hi Theodora,

Thank-you for the response. This makes sense to me - the key point I was missing, which you have clarified, is that a public SSH key generated with the Pipelines Repository settings cannot be associated with more than one Bitbucket account. So if the bot user has this public SSH key added to its account it cannot be added to another user account.

Many thanks for your time.

Regards, Tim

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

Git push size limits are coming to Bitbucket Cloud starting April 4th, 2022

Beginning on April 4th, we will be implementing push limits. This means that your push cannot be completed if it is over 3.5 GB. If you do attempt to complete a push that is over 3.5 GB, it will fail...

3,473 views 3 10
Read article

Atlassian Community Events