Working with deploy keys, ssh, and multiple repositories


If you’re working with multiple git repositories and you are using deploy keys you might keep encountering authentication issues. In my case I was trying to pip install a module from a different repository than that where the build was running. I kept getting

ERROR: Repository not found.
fatal: Could not read from remote repository.

After much thrashing and checking, double checking keys, I found the source of the problem. CircleCI runs a ssh-agent and preloads your project keys. This means that when your pip command runs it connects to github with a key that authenticates correctly but is not authorized to access the other repository even though the right key is in ssh-agent. The right key never gets used because a prior key is accepted at the ssh level!

To enforce a single key being used you need to

run: echo $SSH_KEY_STORED_IN_CCI > ~/.ssh/id_rsa
run: chmod 400 ~/.ssh/id_rsa
run: unset SSH_AUTH_SOCK &&  /command/connecting/to/github

Do not put the unset and the command connecting to github on separate lines as it looks like CCI resets the shell environment between commands.


I had an issue where when building a docker image the pip install was failing because of private repos and GitHub’s restriction that a deploy key can’t be reused across repos. I ended up passing the ssh-keys all concatenated together into the docker build and splitting them apart with awk to separate key files and modifying the ssh config.

1 Like