Working with deploy keys, ssh, and multiple repositories

If you’re working with multiple git repositories and you are using deploy keys you might keep encountering authentication issues. In my case I was trying to pip install a module from a different repository than that where the build was running. I kept getting

ERROR: Repository not found.
fatal: Could not read from remote repository.

After much thrashing and checking, double checking keys, I found the source of the problem. CircleCI runs a ssh-agent and preloads your project keys. This means that when your pip command runs it connects to github with a key that authenticates correctly but is not authorized to access the other repository even though the right key is in ssh-agent. The right key never gets used because a prior key is accepted at the ssh level!

To enforce a single key being used you need to

run: echo $SSH_KEY_STORED_IN_CCI > ~/.ssh/id_rsa
run: chmod 400 ~/.ssh/id_rsa
run: unset SSH_AUTH_SOCK &&  /command/connecting/to/github

Do not put the unset and the command connecting to github on separate lines as it looks like CCI resets the shell environment between commands.

I had an issue where when building a docker image the pip install was failing because of private repos and GitHub’s restriction that a deploy key can’t be reused across repos. I ended up passing the ssh-keys all concatenated together into the docker build and splitting them apart with awk to separate key files and modifying the ssh config.

They solved it nicely in “webfactory/ssh-agent” GHA action.

Readme GitHub - webfactory/ssh-agent: GitHub Action to setup `ssh-agent` with a private key
Code: ssh-agent/index.js at master · webfactory/ssh-agent · GitHub

It works using the comment part of the key.

I solved this by dropping the project keys from the agent right before running pip install. No need to tinker with the key files.

ssh-add -d <(ssh-add -L | head -1)