Heroku credentials aren't used

heroku
deployment
circle.yml

#1

I followed the instructions from Deploying Examples, but unfortunately heroku credentials don’t seem to be working.

I’ve set up heroku permissions in my account:

Here’s the output I get:

Permission denied (publickey).

fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
Enter your Heroku credentials.
Email: 
Exited with code 1

The relevant section of my circle.yml is below:

  # Deploy to test server
  - type: deploy
    name: "Deploy to Heroku"
    command: |
      if [ "${CIRCLE_BRANCH}" == "master" ]; then
        # Install Heroku fingerprint
        echo 'heroku.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAu8erSx6jh+8ztsfHwkNeFr/SZaSOcvoa8AyMpaerGIPZDB2TKNgNkMSYTLYGDK2ivsqXopo2W7dpQRBIVF80q9mNXy5tbt1WE04gbOBB26Wn2hF4bk3Tu+BNMFbvMjPbkVlC2hcFuQJdH4T2i/dtauyTpJbD/6ExHR9XYVhdhdMs0JsjP/Q5FNoWh2ff9YbZVpDQSTPvusUp4liLjPfa/i0t+2LpNCeWy8Y+V9gUlDWiyYwrfMVI0UwNCZZKHs1Unpc11/4HLitQRtvuk0Ot5qwwBxbmtvCDKZvj1aFBid71/mYdGRPYZMIxq1zgP1acePC1zfTG/lvuQ7d0Pe0kaw==' >> ~/.ssh/known_hosts

        git push git@heroku.com:sparks-web-test.git:master master
      fi

I’m assuming that heroku credentials aren’t automatically passed through, but I’d love an example on how to set this up properly. I’ve tried creating my own .netrc file, but it didn’t seem to like it. No .netrc exists as far as I can tell.


#2

Heroku integration isn’t complete yet for 2.0. As a workaround, could you try adding a Heroku deploy private key in the SSH permissions section?


#3

Tried it, but didn’t seem to work. I’m not sure if I’m doing it correctly.

Here are the steps I took:

  1. Created a new SSH key.
  2. Registered the public key (id_rsa.pub) with heroku’s per-account SSH Keys
  3. Registered the private key (id_rsa) with CircleCI with hostname heroku.com (a bit unsure on this step)
  4. Attempted to connect to heroku to push the build contents.

To debug, I used heroku’s debug hints and ran the following. It doesn’t seem like it’s picking up the proper ssh key from anywhere.

$ ssh -v git@heroku.com
OpenSSH_7.2p2 Ubuntu-4ubuntu2.1, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to heroku.com [50.19.85.156] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1
debug1: Remote protocol version 2.0, remote software version endosome
debug1: no match: endosome
debug1: Authenticating to heroku.com:22 as 'git'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ssh-rsa SHA256:8tF0wX2WquK45aGKs/Bh1dKmBXH08vxUe0VCJJWOA/o
debug1: Host 'heroku.com' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:7
Warning: Permanently added the RSA host key for IP address '50.19.85.156' to the list of known hosts.
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey).
Exited with code 255

#4

Found the problem, I was missing the add-ssh-keys command! For anyone else looking to solve this, here’s what you need to get it working:

  1. Generate an SSH key and add the public key your heroku account (https://dashboard.heroku.com/account)
  2. Add your SSH private key to the “SSH Permissions” tab in CircleCI

If you also want to be able to run heroku command line args (like automatically running migrations or other post-deployment steps):

  1. Generate an API key in your heroku account (https://dashboard.heroku.com/account)
  2. Set HEROKU_API_KEY in your project “Environment Variables” tag to the generated API key

Your circle.yml should contain the following:

      - type: add-ssh-keys
      - type: deploy
        name: "Deploy to Heroku"
        command: |
          if [ "${CIRCLE_BRANCH}" == "master" ]; then
            # Install Heroku fingerprint (this is heroku's own key, NOT any of your private or public keys)
            echo 'heroku.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAu8erSx6jh+8ztsfHwkNeFr/SZaSOcvoa8AyMpaerGIPZDB2TKNgNkMSYTLYGDK2ivsqXopo2W7dpQRBIVF80q9mNXy5tbt1WE04gbOBB26Wn2hF4bk3Tu+BNMFbvMjPbkVlC2hcFuQJdH4T2i/dtauyTpJbD/6ExHR9XYVhdhdMs0JsjP/Q5FNoWh2ff9YbZVpDQSTPvusUp4liLjPfa/i0t+2LpNCeWy8Y+V9gUlDWiyYwrfMVI0UwNCZZKHs1Unpc11/4HLitQRtvuk0Ot5qwwBxbmtvCDKZvj1aFBid71/mYdGRPYZMIxq1zgP1acePC1zfTG/lvuQ7d0Pe0kaw==' >> ~/.ssh/known_hosts

            git push git@heroku.com:yourproject.git $CIRCLE_SHA1:refs/heads/master

            # Optional post-deploy commands
            # heroku run python manage.py migrate --app=my-heroku-project
          fi

Is it worth persisting with 2.0?
#5