What is the purpose of add_ssh_keys?

The documentation on configuring SSH access mentions that it is a must to add the “add_ssh_keys” in our job that we want to use a key in. However I was able to do this without having the same in my config file. How is this possible? And why do we need “add_ssh_keys” then?

Welcome to the community, @darkknight97!

I’m not sure I follow your question.

  • If you mean SSHing into the build environment , then we fetch the SSH key on file from the VCS provider (e.g., Bitbucket and GitHub) so you don’t need to configure or run anything in the config.
  • If you’re talking about making use of an SSH key inside the environment , that’s what the add_ssh_keys config is for. The use case is if from inside the box, you need to use some SSH key to do something else (like deploying to yet another box somewhere else).

Let me know if this helps or you have more questions!

Hi @thekatertot.
I mean the second use case “making use of an SSH key inside the environment”. I need to send my code to an EC2 instance using rsync and CircleCI docs say that I need to use the add_ssh_keys config to add the keys to the box. However, I was able to do the rsync even without add_ssh_keys. So I was curious as to what its purpose was.

If you were able to do the rsync without the add_ssh_keys step, there’s a couple possibilities. One is that you might be using your personal SSH key, which is automatically added to the box without any additional config. Otherwise, it seems like there might be something strange in your security settings. I can’t think of any other way it would work, but any other details you find would be interesting to hear about!

Thanks @thekatertot
What do you mean by personal SSH key though?
Nevertheless I am only using a key that was generated was for this purpose alone and I have only added it to Project Settings. It however works without add_ssh_keys.

The answer can probably be found here:

fingerprints N List List of fingerprints corresponding to the keys to be added (default: all keys added)

And the keys they refer to are supposedly the keys added to the Additional SSH keys section.

It’s not clear if specifying fingerprints makes it not add all the keys. But if that’s the case, the reasons I see one might need the add_ssh_keys step:

  • you have more than one key and more than one job, and you want it to add only those keys that are needed for a particular job
  • you want to be explicit so that in the future, when you add a key (and a job), the old jobs wouldn’t start using the keys they don’t actually need

I know this is an old thread, but I would love an answer to this as well.

I currently have a workflow that deploys to a VPS I manage, I added a key for my deployment user to Project Settings / Additional SSH Keys, however I never added an add_ssh_keys step to my workflow yaml, yet I am able to SSH in and deploy my application without issue.

1 Like

I’m not sure if this a bug, But we were able use an old fingerprint in the add_ssh_keys section (while newer key for the same host added to project settings), yet the ssh was successful.