Using an Environment Variable inside of add_ssh_keys step

ssh
android
envars
circle.yml

#1

I am attempting to store my github fingerprint as an Environment Variable in my project and use it inside of the add_ssh_keys command in circle.yml.

- add_ssh_keys:
      fingerprints: $PROJ_FINGERPRINT

I would prefer doing this rather than adding the fingerprint directly to my repository. However, circle does not seem to pick up on environment variables in these circle specific commands. It only picks up on them in custom commands. It also doesn’t seem possible to add SH keys in custom commands, according to the documentation:
“Even though CircleCI uses ssh-agent to sign all added SSH keys, you must use the add_ssh_keys key to actually add keys to a container.”

Does anyone know of another possible way around this? If any? Thank you for the help in advance.


#2

I was also interested in doing something similar. Did you make progress on this?


#3

I’ve not done this, but I imagine that add_ssh_keys is not strictly necessary - I think it is just a convenience.

You could add your key and fingerprint as environment variables in the CircleCI UI, and then copy them into place in the ~/.ssh folder manually. You might have to encode the newlines as something else and swap them, or maybe base64 encode it, so it is just a long string. The main challenge will be seeing if CircleCI can cope with long strings - but I would be surprised if it cannot.

That all said, I believe add_ssh_keys will just add all keys if you don’t give it a map - if you only have one key then you don’t need to specify fingerprints at all.


#4

Thanks for taking the time to reply - that info is very useful.

Cheers.


#5

This is required, as described here https://circleci.com/docs/2.0/add-ssh-key/#advanced-usage


#6

Thanks, good to know. Would you describe why this is so? I’d like to understand why the process I described would not be enough for SSH.


#7

For security reasons we do not inject all keys automatically into the job. Customer may add keys for certain use cases, and therefore we require that you implicitly define which keys you want added to the container.


#8

I think we are talking at cross-purposes. I believe you meant to say that add_ssh_keys is mandatory, not that fingerprints is. I was wondering why this is so, given that it can be done manually with environment variables and creating .ssh files manually.


#9

Indeed, that’s what I was speaking to. You can always dump ENVs to any file you want, including .ssh/, Did not mean to be confusing.

To be clear, I meant that if you add your keys to the SSH section of the UI, that you also need add_ssh_keys to add them to the container.


#10

Ah yes, that would make sense. I can’t imagine there is any way to fish them out of that part of the system, other than through that command. Thanks!