Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Why getting permission denied when repo has SSH key and BITBUCKET_GIT_SSH_ORIGIN is set

Michael Brizic
Michael Brizic April 20, 2020

I have added an ssh key to the repository and also call:

git remote set-url origin ${BITBUCKET_GIT_SSH_ORIGIN}

but get this error in pipeline:

+ git pull --tags
Warning: Permanently added the RSA host key for IP address '18.205.93.2' to the list of known hosts.git@bitbucket.org: Permission denied (publickey).fatal: Could not read from remote repository.
Answer
Watch
Like Be the first to like this
1447 views

1 answer

0 votes
Ronald C_
Ronald C_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 20, 2020

Hi @Michael Brizic

Would you be able to try running the following commands in your build to check the home directory and also share us the docker image that you're using?

 script:
    - whoami
    - echo $HOME

I'm suspecting that you encounter similar issue here:
https://community.atlassian.com/t5/Bitbucket-Pipelines-questions/Re-Re-Pulling-a-private-repo-from-bitbucket-in-pipelines/qaq-p/1347516/comment-id/2387#M2387

Regards
Ronald

View More Comments
Michael Brizic
Michael Brizic April 21, 2020

Additional debugging reveals the following:

* The pipeline is building and deploying an Android APK

* It uses Triple-T/gradle-play-publisher (from GitHub)

* This requires a Google API key (set as a Repository Variable)

* The Repository Variable is a JSON string that contains a field named 'private_key'

* For whatever reason, even though the pipeline/step does not use this Repository Variable directly, the 'private_key' from this JSON string is set to

/opt/atlassian/pipelines/agent/ssh/id_rsa

* I have tried to take this 'private_key', generate the public key, and then set those as the SSH keys added to my repository and rerun the pipeline/step but I'm still getting a failure


Is there any way to mask a Repository Variable in a given pipeline/step?

What other troubleshooting/debugging steps should I take?

I'm able to modify the pipeline/step to print additional debugging information.

Thanks for responding

Like
Ronald C_
Ronald C_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 21, 2020

Hi @Michael Brizic

Yes, you can mask the variable's value by checking the Secured checkbox while setting up variable.
Variables in Pipelines - Atlassian Documentation

Are you still getting the SSH permission denied issue which initially mentioned?
What do you observe when you run the following command in your build?

 script:
    - whoami
    - echo $HOME

Would you also share us the docker image that you're using so that we can try reproduce on our end?

Regards,
Ronald 

Like
Michael Brizic
Michael Brizic April 22, 2020

whoami = root

$HOME = /root

Image = python:3.8.1

 

Also, when I asked if there was a way to "mask" a Repository Variable I meant, is there a way to make it not be processed or present for a given pipeline or step?

Again, the Repository Variable in questions is a JSON string which contains a 'private_key' and this is what the image is getting for the value in /opt/atlassian/pipelines/agent/ssh/id_rsa

Even when I take this same private_key, get the public key, and set it in the repository SSH keys (selecting Use My Own) it does not work.

Like
Michael Brizic
Michael Brizic April 27, 2020

@Ronald C_were you able to discern anything additional in support of my use case?

Like
Michael Brizic
Michael Brizic May 1, 2020

@Ronald C_is anyone doing additional research on this request?

Like
Ronald C_
Ronald C_
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 5, 2020

Hi @Michael Brizic 

Sorry for the late reply as I was having other priority at home for the past weeks.

I've checked the docker image that you're using and it shouldn't be affecting the ssh authentication:

In regards to your question about masking the repository variables, you will need to tick the "Secured" checkbox when you create the variable.
Sample Image:
image.png

Once you created the "secured variables", Pipelines will check if the display output matches the variables' value.
If it matches, it will replace it with the variables name such as below:
image.png

Sample Build: https://bitbucket.org/r-comm/json-masking/addon/pipelines/home#!/results/1

 

As for the issue that you've encountered:

Again, the Repository Variable in questions is a JSON string which contains a 'private_key' and this is what the image is getting for the value in /opt/atlassian/pipelines/agent/ssh/id_rsa

Even when I take this same private_key, get the public key, and set it in the repository SSH keys (selecting Use My Own) it does not work

Would you give us an example of your configuration and the build output so that we can identify what's the issue that you're facing?

Regards,
Ronald

Like
Michael Brizic
Michael Brizic May 6, 2020

I've now gone to the point of removing the repository variable that I thought was causing the problem and letting Bitbucket generate my SSH keys and I'm doing a dirt simple pipeline like the example you gave. And still, errors.

 

Screen Shot 2020-05-06 at 6.36.15 AM.pngScreen Shot 2020-05-06 at 6.37.11 AM.pngScreen Shot 2020-05-06 at 6.37.25 AM.png

Like
Michael Brizic
Michael Brizic May 6, 2020

Originally, I had this repository variable named: GOOGLE_API_KEY_JSON and a value of JSON:

{
"type": "service_account",
"project_id": "some-value-here",
"private_key_id": "private-key-id-value",
"private_key": "-----BEGIN PRIVATE KEY-----<private key contents here>-----END PRIVATE KEY-----\n",
"client_email": "email address here",
"client_id": "client-id-here",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "cert-url-here"
}

Note the "private_key" variable in the JSON above. When I would run the pipeline that private_key above is what would get set in the /opt/atlassian/pipelines/agent/ssh/id_rsa file.

So knowing this, I then tried to add the private key to my repository SSH Keys, but that still didn't work.

Like
Michael Brizic
Michael Brizic May 15, 2020

@Ronald C_do you have any additional help for me after my additional debugging information has been shared?

I know you've likely been busy but is anyone else available to inspect it?

Like
Michael Brizic
Michael Brizic June 5, 2020

Anyone have any updates ?

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events