Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Why getting permission denied when repo has SSH key and BITBUCKET_GIT_SSH_ORIGIN is set Edited

I have added an ssh key to the repository and also call:

git remote set-url origin ${BITBUCKET_GIT_SSH_ORIGIN}

but get this error in pipeline:

+ git pull --tags
Warning: Permanently added the RSA host key for IP address '18.205.93.2' to the list of known hosts.
git@bitbucket.org: Permission denied (publickey).fatal: Could not read from remote repository.

1 answer

0 votes
Ronald C_ Atlassian Team Apr 20, 2020

Hi @Michael Brizic

Would you be able to try running the following commands in your build to check the home directory and also share us the docker image that you're using?

 script:
- whoami
- echo $HOME

I'm suspecting that you encounter similar issue here:
https://community.atlassian.com/t5/Bitbucket-Pipelines-questions/Re-Re-Pulling-a-private-repo-from-bitbucket-in-pipelines/qaq-p/1347516/comment-id/2387#M2387

Regards
Ronald

Additional debugging reveals the following:

* The pipeline is building and deploying an Android APK

* It uses Triple-T/gradle-play-publisher (from GitHub)

* This requires a Google API key (set as a Repository Variable)

* The Repository Variable is a JSON string that contains a field named 'private_key'

* For whatever reason, even though the pipeline/step does not use this Repository Variable directly, the 'private_key' from this JSON string is set to

/opt/atlassian/pipelines/agent/ssh/id_rsa

* I have tried to take this 'private_key', generate the public key, and then set those as the SSH keys added to my repository and rerun the pipeline/step but I'm still getting a failure


Is there any way to mask a Repository Variable in a given pipeline/step?

What other troubleshooting/debugging steps should I take?

I'm able to modify the pipeline/step to print additional debugging information.

Thanks for responding

Ronald C_ Atlassian Team Apr 21, 2020

Hi @Michael Brizic

Yes, you can mask the variable's value by checking the Secured checkbox while setting up variable.
Variables in Pipelines - Atlassian Documentation

Are you still getting the SSH permission denied issue which initially mentioned?
What do you observe when you run the following command in your build?

 script:
- whoami
- echo $HOME

Would you also share us the docker image that you're using so that we can try reproduce on our end?

Regards,
Ronald 

whoami = root

$HOME = /root

Image = python:3.8.1

 

Also, when I asked if there was a way to "mask" a Repository Variable I meant, is there a way to make it not be processed or present for a given pipeline or step?

Again, the Repository Variable in questions is a JSON string which contains a 'private_key' and this is what the image is getting for the value in /opt/atlassian/pipelines/agent/ssh/id_rsa

Even when I take this same private_key, get the public key, and set it in the repository SSH keys (selecting Use My Own) it does not work.

@Ronald C_were you able to discern anything additional in support of my use case?

@Ronald C_is anyone doing additional research on this request?

Hi @Michael Brizic 

Sorry for the late reply as I was having other priority at home for the past weeks.

I've checked the docker image that you're using and it shouldn't be affecting the ssh authentication:

In regards to your question about masking the repository variables, you will need to tick the "Secured" checkbox when you create the variable.
Sample Image:
image.png

Once you created the "secured variables", Pipelines will check if the display output matches the variables' value.
If it matches, it will replace it with the variables name such as below:
image.png

Sample Build: https://bitbucket.org/r-comm/json-masking/addon/pipelines/home#!/results/1

 

As for the issue that you've encountered:

Again, the Repository Variable in questions is a JSON string which contains a 'private_key' and this is what the image is getting for the value in /opt/atlassian/pipelines/agent/ssh/id_rsa

Even when I take this same private_key, get the public key, and set it in the repository SSH keys (selecting Use My Own) it does not work

Would you give us an example of your configuration and the build output so that we can identify what's the issue that you're facing?

Regards,
Ronald

I've now gone to the point of removing the repository variable that I thought was causing the problem and letting Bitbucket generate my SSH keys and I'm doing a dirt simple pipeline like the example you gave. And still, errors.

 

Screen Shot 2020-05-06 at 6.36.15 AM.pngScreen Shot 2020-05-06 at 6.37.11 AM.pngScreen Shot 2020-05-06 at 6.37.25 AM.png

Originally, I had this repository variable named: GOOGLE_API_KEY_JSON and a value of JSON:

{
"type": "service_account",
"project_id": "some-value-here",
"private_key_id": "private-key-id-value",
"private_key": "-----BEGIN PRIVATE KEY-----<private key contents here>-----END PRIVATE KEY-----\n",
"client_email": "email address here",
"client_id": "client-id-here",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "cert-url-here"
}

Note the "private_key" variable in the JSON above. When I would run the pipeline that private_key above is what would get set in the /opt/atlassian/pipelines/agent/ssh/id_rsa file.

So knowing this, I then tried to add the private key to my repository SSH Keys, but that still didn't work.

@Ronald C_do you have any additional help for me after my additional debugging information has been shared?

I know you've likely been busy but is anyone else available to inspect it?

Anyone have any updates ?

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

Powering DevOps with Bitbucket Server & Data Center

Hi everyone, The Cloud team recently announced 12 new DevOps features that help developers ship better code, faster   ! While we’re all excited about the new improvements to Bitbucket ...

1,886 views 0 7
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you