8

Here is the workflow I want to achieve:

  1. commit code
  2. bitbucket pipeline run test on my public docker image
  3. bitbucket pipeline executes ansible script to deploy on my public docker image

The first 2 steps working fine, but here is the problem: How/Where should I store my private keys to allow ansible to ssh to my remote server via ssh agent?

I am a bit reluctant to store the private key inside Pipeline env settings, since everyone else has admin access to the repo can see it.

There is a similar question asked here but the answer suggests to setup the keys on docker and use private repo, which it's a bit different to mine.

Community
  • 1
  • 1
James Lin
  • 25,028
  • 36
  • 133
  • 233

2 Answers2

3

You can now setup SSH keys under pipeline settings so that you do not need to use environment variables and copy to certain locations in the container. The private key is not shown at all.

Under

Settings -> Pipelines -> SSH keys

You would need to get the public key to the production containers known_hosts file.

AndrewK
  • 1,223
  • 2
  • 16
  • 25
2

I have set up a similar process and used Pipelines environment variables, there is a checkbox to secure the value so you don't need to worry about others viewing it.

The set up is pretty easy:

  • Base64 encode a private key and store it in an environment variable in Bitbucket
  • Commit a "my_known_hosts" file to your codebase that includes the public SSH key of the remote host.

Then in your bitbucket-pipelines.yml file set up the known_hosts and key:

- mkdir -p ~/.ssh
- cat my_known_hosts >> ~/.ssh/known_hosts
- (umask  077 ; echo $MY_SSH_KEY | base64 --decode > ~/.ssh/id_rsa)

Full documentation is available here https://confluence.atlassian.com/bitbucket/access-remote-hosts-via-ssh-847452940.html

Carl
  • 853
  • 9
  • 23