Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

self hosted runner mount ssh key

Deleted user Dec 16, 2021

I am trying to move my bitbucket pipelines to self hosted runners.  I needs ssh keys.  In hosted runners ssh key is mounted automatically.  With self hosted runners, I did not find my id_rsa.  So I added my private key and mounted it to my dind container and runner container (I can see the keys when I ssh into the pods). However when I run a pipeline that volume mount does not exist.  How do I mount kubernetes secret into a self hosted pipeline runner?

2 answers

If somebody comes here with the same problem, I recently found a bug, that sill exists in v1.326

We were getting an error, while accessing our private repo during the pipeline build, but only on local runners, cloud was working
The error was something like this:

Load key /tmp/<uuid>/ssh/id_rsa: invalid format

The answer ist, that the added ssh-key under settings, need to have a newline at the end, without one, the local runners aren't able to load the ssh-key as mentioned here. 
Hopefully I helped someone, with this tip :)

@Edwin Knese we had exactly the same issue as you. I've tried the Kubernets and VM Linux runners and in both cases there was that problem.

On public runners the issue doesn't exist with the exactly same SSH key so BitBucket doing some adjustment on their machines.

Problem still exist on v1.363 runner.

@Caroline R please open the internal ticket to fix it or at least put some comments in runners configuration because there is so much waste time to looking solution for this (and from @Edwin Knese comments I assume is a known issue).


Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Sep 19, 2022

Hi @Edwin Knese and @Przemyslaw Nowak,

I am unable to reproduce the issue you are reporting. If you're still experiencing this, please create a new question via and provide some more details like the following, and we can look into this

- what type of runners you are using (Linux Docker or Linux Shell) and what version
- whether you are adding SSH keys via Repository settings > SSH keys or if you're using Repository variables
- your bitbucket-pipelines.yml configuration

Kind regards,

@Edwin Knese Wow, you really helped me. I added the newline to the key and suddenly it is working!

Like burroz likes this
0 votes
Caroline R
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Dec 17, 2021

Hi, @[deleted]! 

Thank you for reaching out to Atlassian Community!

About the first part of your question, if you are referring to the ssh from Repository settings > SSH keys under the Pipelines section, then I would like to ask you to confirm if your Runner is up to date with the latest version, as we have released support for SSH keys and known hosts on runners in latest versions. 

In order to upgrade it, you can stop the runner and use the below command to get the last version: 

docker image pull

Then, about the second part of your question, when you say you ran a pipeline and that volume mount didn’t exist, and how to mount Kubernetes secret into a self-hosted pipeline runner, could you please give us more details about your request? You can share your configuration with us, so we can properly assist you.

Looking forward to hearing from you.

Kind regards,

Deleted user Dec 19, 2021

Thanks for the reply.  So yes I am referring to the ssh key in the ssh keys pipelines.

This is the image I used:

I imagine that is the latest.

if I run the pipeline via bitbucket I see the ssh key in 


if i run it through the self hosted runner I do not see it there.
I have mounted the k8s secret with the id_rsa but I would prefer to get it from bitbucket directly.  so I see my id_rsa in  /tmp/ssh but that is from me updating it outside of bitbucket.  

So my goal would be to run the job in my own network using the ssh key passed on from the bitbucket pipeline (1 location for key pair maintenance vs 2).  And my pipeline does a docker build so would love to see the id_rsa in the container that does the docker build so I can pull the library repo we manage.
my very insecure way to manage that today is to get the id_rsa as an artifact and pass it to the runner but that is not what I want long term. This is only a POC at this point.

Below is my runner k8s yaml and the pipeline

image: atlassian/default-image:3
- step: &QueryECR
name: query ecr
image: atlassian/pipelines-awscli
- docker
# aws login
- echo "YES" > does_exist
- eval $(aws ecr get-login --region ${AWS_DEFAULT_REGION} --no-include-email)
- aws ecr describe-images --repository-name $image_name --image-ids imageTag=${BITBUCKET_COMMIT} || echo "NO" > does_exist
- does_exist
- step: &GetRSA
name: get rsa
- cat /opt/atlassian/pipelines/agent/ssh/id_rsa > id_rsa
- chmod 400 id_rsa
- id_rsa
- step: &BuildAndPush
name: Push image to ECR
deployment: Development
- if [ `cat does_exist` == "YES" ]; then exit 0 ; fi
# build the image
- docker build -t $image_name .

# use the pipe to push the image to AWS ECR
- pipe: atlassian/aws-ecr-push-image:1.4.2
IMAGE_NAME: $image_name
- docker
- step: *QueryECR
- step: *GetRSA
- step: *BuildAndPush
- step: *QueryECR
- step: *GetRSA
- step: *BuildAndPush


apiVersion: batch/v1

kind: Job


  name: runner





        accountUuid: FOO
        runnerUuid: FOO

        repositoryUuid: FOO



        - name: bitbucket-k8s-runner



            - name: ACCOUNT_UUID

              value: "FOO"

            - name: RUNNER_UUID

              value: "FOO"

             - name: REPOSITORY_UUID

              value: ""FOO""

            - name: OAUTH_CLIENT_ID



                  name: runner-oauth-credentials

                  key: oauthClientId

            - name: OAUTH_CLIENT_SECRET



                  name: runner-oauth-credentials

                  key: oauthClientSecret

            - name: WORKING_DIRECTORY

              value: "/tmp"


            - name: tmp

              mountPath: /tmp

            - name: docker-containers

              mountPath: /var/lib/docker/containers

              readOnly: true

            - name: var-run

              mountPath: /var/run

            - name: ssh-key

              readOnly: true

              mountPath: /tmp/ssh

        - name: docker-in-docker

          image: docker:20.10.7-dind


            privileged: true


            - name: tmp

              mountPath: /tmp

            - name: docker-containers

              mountPath: /var/lib/docker/containers

            - name: var-run

              mountPath: /var/run

            - name: ssh-key

              readOnly: true

              mountPath: /tmp/ssh

      restartPolicy: OnFailure


        - name: tmp

        - name: docker-containers

        - name: var-run

        - name: ssh-key


            secretName: ssh-key

  backoffLimit: 6

  completions: 1

  parallelism: 1

Like Bonnie Milian likes this
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Dec 20, 2021

Hi Olivier,

Please allow me to step in as Caroline is out of office.

The image you are using for the runner is the correct one, however, you may need to update it to the latest version. If you open the page of a Pipelines build on Bitbucket website and select a step that is running on your runner, select the word 'Runner' at the beginning of the log and you will see info about the Runner version. The latest one at the moment is 1.262.

If you are running an older version, you can upgrade it following the steps that Caroline mentioned in her previous reply. The latest version of the runner supports SSH keys that are added to a repo's Repository settings > SSH keys under the Pipelines section.

Please note that when you run a Pipelines build on your runner, the SSH key will not be located at /opt/atlassian/pipelines/agent/ssh/.

The path where the private SSH key is located includes the runner uuid which I'm afraid is not available during the build, and it will need to be hardcoded in your yml file. You can find it the following way:

- Run the command docker ps on the machine where the runner is running
- Find in the output the container for the Runner, and note its name, it should be something like runner-76b247e7-b925-5e7b-9da2-1cda14c4ff2c

For the example above, if the name of the runner is runner-76b247e7-b925-5e7b-9da2-1cda14c4ff2c and you have defined SSH keys in your Repository's settings and you are running the latest version of the runner, the private SSH key should be located at


If you have any questions, please feel free to let me know.

Kind regards,

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events