docker buildkit mount ssh when using remote agent forwarding

Question

I use the --ssh docker buildkit feature and it works fine locally. I want to build Docker at a remote server and for that I use the -A flag to forward my local github key, like:

ssh -i "server.pem" -A <user>@<server-ip>

Then in server terminal I run:

ssh -T [email protected]

And I get the "Hello user" message, which means the key forwarding works fine.
(In the server, $SSH_AUTH_SOCK is indeed set, and I can git clone)

Now, when building locally I use:

DOCKER_BUILDKIT=1 docker build --ssh default=~/.ssh/id_rsa -t myimage:latest .

Which works fine.
But in the server the private key does not exists at ~/.ssh/id_rsa. So how can I forward it to docker build? Tried this in the server:

DOCKER_BUILDKIT=1 docker build --ssh default=$SSH_AUTH_SOCK -t myimage:latest .

But it does not work. The error is:

could not parse ssh: [default]: invalid empty ssh agent socket, make sure SSH_AUTH_SOCK is set

Even though SSH_AUTH_SOCK is set

Docker version: 19.03

Answer 1

I had a similar issue and it was fixed quite simply, I wrapped ${SSH_AUTH_SOCK} within curly braces

eval $(ssh-agent)
ssh-add ~/.ssh/id_rsa
DOCKER_BUILDKIT=1 docker build -t myimage:latest --ssh default=${SSH_AUTH_SOCK} .

In the Docker file, I have appropriate RUN instruction to run a command that requires sensitive data

RUN --mount=type=ssh \
    mkdir vendor && composer install

Answer 2

You need to have ssh-agent running on your machine and the key added to it with ssh-add or use ssh -A -o AddKeysToAgent=true when logging in. SSH will not automatically forward the key specified with -i if you set -A afaik. After logging in you can run ssh-add -L to make sure your keys were forwarded and if you see records there then docker build --ssh default . should work fine now.

eval `ssh-agent`
ssh-add server.pem
ssh -A <user>@<server-ip>