AWS CodeBuild with Github Enterprise Deploy Keys asking for passphrase

Question

I'm trying to use Deploy Keys for my Github Enterprise repo so that I can push newly deployed tags using a CodeBuild project. I cannot get it to work, no matter what I try.

In my local machine: (MacOS)

I am generating the keys using a command like this: ssh-keygen -t ecdsa -b 521 -f $PATH_TO_SSH_KEY -q -N ""
I am saving $PATH_TO_SSH_KEY contents in AWS SSM Parameter Store as a SecureString.
I am loading this parameter in my CodeBuild environment from the parameter store and not in my buildspec.yml.
I am saving $PATH_TO_SSH_KEY.pub to the github enterprise repo as a new deploy key.

In my CodeBuild project buildspec.yml:

I am saving the key into a file: printf -- "$GITHUB_PRIVATE_KEY" > ~/.ssh/id_ecdsa

Now, I've tried two different approaches from here, and both of them fail.

Approach 1:

Save the fingerprint of the enterprise site to known_hosts: ssh-keyscan "$GITHUB_ENTERPRISE_URL" >> ~/.ssh/known_hosts
Configure git to use my credentials: GIT_SSH_COMMAND="ssh -i ~/.ssh/id_ecdsa" git push --tags
This approach fails with the error:

git@<ENTERPRISE_URL>: Permission denied (publickey).
fatal: Could not read from remote repository.

Approach 2:

Use SSH Agent to save the keys and try to clone that way:
eval $(ssh-agent)
ssh-add ~/.ssh/id_ecdsa
git push --tags
This approach fails because of the following message:

Enter passphrase for /root/.ssh/id_ecdsa:

(My key does not have a passphrase, and it works fine from my local machine)

Question:

Is it possible to get this working? I've seen other examples of deploy keys with code build, but when I try the exact same setup, I fail with one of the above errors. I've been working on this for 2 days now, so I'm at the end of my wits. Any assistance would be greatly appreciated.

If any additional information is required, I'd be happy to get it and edit it in here.

Answer 1

If anyone looking for a resolution in 2022:

I was using Secret Manager to store Private SSH Key and passing it as an env var in CodeBuild project. I spent entire day to figure out why I was getting the passphrase prompt and finally I made it work. This is what I did:

• Instead of copying and pasting the private key in plaintext to Secret, I re-uploaded the key using: aws secretsmanager put-secret-value --secret-id MyTestSecret --secret-string file://id_rsa
• Moved the SSH-ADD steps to "install" phase.(I do not think this makes any difference.)
• Replace the echo command with printenv: Old: echo -n "${SSH_PRIVATE_KEY}" > ~/.ssh/id_rsa New: printenv SSH_PRIVATE_KEY > ~/.ssh/id_rsa

I am confident that you should be able to upload the private key to SSM parameter store similar to Secret manager using "file://your-file-name".

Cheers :)

Answer 2

Hopefully in the near future, codebuild will begin supporting deploy keys natively through AWS instead of in the buildspec file

Yeah, I agree that would be a great addition. For now we're working around the shortcoming simply keeping the SSH private key in plain text form but stored encrypted in SSM parameter store, e.g:

version: 0.2
env:
  parameter-store:
    SSH_PRIVATE_KEY: /ssm/key/name/here
phases:
  install:
    on-failure: ABORT
    commands:
      - mkdir -p ~/.ssh && chmod 0700 ~/.ssh
      - echo -n "${SSH_PRIVATE_KEY}" > ~/.ssh/id_rsa && chmod 0400 ~/.ssh/id_rsa
      - md5sum ~/.ssh/id_rsa
  build:
    on-failure: ABORT
    commands:
      - eval $(ssh-agent)
      - ssh-add ~/.ssh/id_rsa

not ideal and quite some boilerplate added but it's good enough in our scenario.