-1

I would like some help running my bitbucket pipeline ci/cd, but I am having a serious problem with the .key certificate part to access the server.

this is the output of the error:

Digest: sha256:b9111f61b5824ca7ed1cb63689a6da55ca6d6e8985eb778c36a5dfc2ffe776a8
Status: Downloaded newer image for bitbucketpipelines/scp-deploy:1.2.1
INFO: Using passed SSH_KEY...
Traceback (most recent call last):
  File "/pipe.py", line 108, in <module>
    pipe.run()
  File "/pipe.py", line 76, in run
    self.setup_ssh_config()
  File "/pipe.py", line 44, in setup_ssh_config
    f.write(base64.b64decode(ssh_key).decode())
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x97 in position 42: invalid start byte

I put the .key certificate into a variable called $DO_KEY_QA, which is set by the pipeline

   --env=DOCKER_HOST="tcp://host.docker.internal:2375" \
   --env=BITBUCKET_PIPE_SHARED_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes" \
   --env=BITBUCKET_PIPE_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes/atlassian/scp-deploy" \
   --env=LOCAL_PATH="output-$BITBUCKET_BUILD_NUMBER.tar.gz" \
   --env=REMOTE_PATH="/opt/tmp/" \
   --env=SERVER="144.22.196.99" \
   --env=SSH_KEY="$DO_KEY_QA" \
   --env=USER="deploy" \

I already transformed the certificate to base64 (makes no sense at all) and it generates another error, but wasn't it supposed to accept the certificate normally as a string when reading?

Christian Guimarães
  • 105
  • 10

1 Answers1

2

First of all to clarify: When you pass in the SSH_KEYparameter to the pipe bitbucketpipelines/scp-deploy:1.2.1, it must be base64 encoded (source).

This is also what one could a bit guess with the last two lines at the end of the Python Traceback:

    f.write(base64.b64decode(ssh_key).decode())
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x97 in position 42: invalid start byte

Writing the id_rsa_tmp identity file (f.write()) fails because after base64 (!) decoding the ssh_key to bytes, the UnicodeDecodeError happens before writing to file.

UnicodeDecodeError: 'utf-8' codec can't decode byte 0x97 in position 42: invalid start byte

Therefore, the original data needs to be base64 encoded for SSH_KEY, regardless if you think this is stupid or not (this is actually pretty common).

Nevertheless, the key that is being base64 encoded for the SSH_KEY parameter, needs to be in ASCII format as it otherwise could not be decoded as UTF-8.

When you provide it that way (key in ASCII encoding encoded as base64, the envelope encoding to transport it), it should work.

hakre
  • 193,403
  • 52
  • 435
  • 836
  • How do I know if my certificate is in ASCII format? it starts like this -----BEGIN OPENSSH PRIVATE KEY----- .... rest, if I transform the certificate to base64 UTF-8 will it work? Will the system also accept the base64 certificate for authentication? – Christian Guimarães May 22 '23 at 14:36
  • 1
    If it has the `-----BEGIN PRIVATE KEY-----` marker on top and the `-----END PRIVATE KEY-----` marker at the bottom and between those lines you find base64 encoded data over multiples lines, then this looks good (it is a key, like the lmarker lines say, not a certificate, no big deal, just saying). The key is ASCII encoded then, which means it is also UTF-8 encoded. This is fitting for the `SSH_KEY` parameter, *but* you *must* encode this once *again* as base64 (the whole, including all markers). [1/2] – hakre May 22 '23 at 16:08
  • 1
    [2/2] Please see this guide: [**Use multiple SSH keys in your pipeline**](https://support.atlassian.com/bitbucket-cloud/docs/use-multiple-ssh-keys-in-your-pipeline/), multiple SSH keys in the title means more like additional next to the one you have in Atlassian Bitbucket itself already per Pipeline/Repository pair by default. I'll extend the answer later. – hakre May 22 '23 at 16:09