Github user key permission error on machine executor


#1

Is there a problem with github user keys? after checkout in a machine executor, i’m trying to pull another repo and it fails on key: (which works for the 1.0, or if i use a docker executor)
Cloning into ‘/home/ubuntu/eight-docker’…
Warning: Permanently added ‘github.com,192.30.253.113’ (RSA) to the list of known hosts.

Permission denied (publickey).

fatal: Could not read from remote repository.

Please make sure you have the correct access rights


Getting Started: Docker Engine
#2

No, that has always been the case. The key in question is only valid for one repository. You will need to configure broader access.

https://circleci.com/docs/github-security-ssh-keys/


#3

I have a user key, not a deploy key( meaning for all repos, i configured it in the circleci project settings). the same checkout under the regular circleci works perfectly.


#4

Hi Ron,

Sorry for the delay getting back to you. The big reply thread got hairy, so I’ve been unraveling it to find unanswered questions. Could you share a build URL where this is happening?


#5

HI, I think I have the same issue, here’s a build URL: https://circleci.com/bb/capito-ai/backend-node-paddypower/11


#6

That’s not a 2.0 build.


#7

The build isn’t picking up a circle.yml, though it looks like your commit is specifically for putting a circle.yml in. CircleCI does a 1-file checkout of your circle.yml before starting a build, but if the file is in the commit, then this initial checkout was unsuccessful.

You might want to compare your Bitbucket checkout key under “project settings -> checkout ssh keys”. You can see if the fingerprint matches what shows up on Bitbucket. If not, they may have fallen out of sync.


#8

Getting the error in a machine executor as well. Docker executor works fine, but we need to use the machine executor for other reasons…


#9

@Wenzil: if you’re stuck, you can drop the checkout command and replace it with your own git clone call, and do your own SSH key and known_hosts setup. AFAIK there would be nothing Circle-ish about that at all - you’d just be doing a remote Git pull from one server to another.


#10

My bad, it was because the pull from git was done in the context of a docker build which doesn’t have access to the host machine ssh keys AFAIK.

I resolved my problem by doing the pull from git from a CircleCI step directly and changing the Dockerfile to ADD the pulled files


#11

That’s correct. Either you need to store the keys in the project repo (suitable for low-value repos where you don’t mind if the keys are revealed) or store them in CI env vars and write them to the appropriate files prior to the pull.


#12