ansible ssh permission deny

[meodemsao]

I have issue when using plugin with ssh key logged from my local machine

UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: Warning: Permanently added 'x.x.x.x' (ECDSA) to the list of known hosts.\r\nLoad key \"/tmp/privateKey112652127\": invalid format\r\n****@x.x.x.x: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).\r\n", "unreachable": true}

[tboerger]

The ansible error is pretty obvious, your provided ssh key got an invalid format. Import it properly as a drone secret and it works totally fine.

[meodemsao]

@tboerger I added ansible_private_key key as a drone secret with plugins/ansible (latest)

 - name: apply ansible playbook
    image: plugins/ansible
    settings:
      playbook: ./.ansible/playbook.yml
      inventory: ./.ansible/host
      private_key:
        from_secret: ansible_private_key
`

My private key format 

-----BEGIN OPENSSH PRIVATE KEY-----
code
-----END OPENSSH PRIVATE KEY-----

I have any mistake

[tboerger]

Please try again with a key in the format:

-----BEGIN RSA PRIVATE KEY-----
SNIP
-----END RSA PRIVATE KEY-----

[meodemsao]

@tboerger I has been try this but have same this error

[xoxys]

@meodemsao How do you add your key as a secret? From the WebUI? This can be the reason for the invalid key. Try to add the key with drone cli: drone secret add --repository octocat/hello-world --name ansible_private_key --data @/root/ssh/id_rsa

[meodemsao]

@xoxys I add from webui, this is a problem ? I will try with drone cli

[tboerger]

Sometimes it could lead to problems with multi-line secrets like SSH keys.

[meodemsao]

I add success ansible_private_key to drone

drone secret add --repository xxx/xxx --name ansible_private_key --data ~/.ssh/id_rsa

but have same error

[xoxys]

Nope you did not. Look at my example above. The @ has to be there and use absolute filepath to your private key

[tboerger]

with your command the secret got the value ~/.ssh/id_rsa, but it doesn't contain the file content.

[meodemsao]

@xoxys thanks 👍

[xoxys]

@meodemsao works?

[meodemsao]

@xoxys yes 💯

[xoxys]

Great! We need to document this a bit better. It is very hard to finde in the docs..

[NickBouwhuis]

Sorry to open this issue again. What's the recommended way of adding a secret from a file when drone runs in docker? Seems like the 'drone' binary isn't available in Docker.

[xoxys]

The drone CLI tool was AFAIK never part of the drone server docker image. It is intended to be used from a client/workstation. See https://docs.drone.io/cli/install/

[NickBouwhuis]

The drone CLI tool was AFAIK never part of the drone server docker image. It is intended to be used from a client/workstation. See https://docs.drone.io/cli/install/

Thanks! Never realized there was a separate CLI utility. Sorry, should have found it on my own.

[esturniolo]

Hi! So, back in time... For those who uses Drone as docker image (like @nickbouwhuis and me) should install the cli inside the docker image?

[flyingfishflash]

This is an incredibly frustrating quirk. I have a key in a secret that I created through the Web UI which works perfectly for appleboy/drone-ssh, yet fails with this plugin.

[LUK3-DEV]

I have tried every combination possible I add my key like so

drone secret add --repository my/repo --name ssh_private_key --data @/root/.ssh/id_rsa

I then need to use it inside my pipeline like so:

• name: Set up SSH, Install Rust and build release image: ubuntu:20.04 commands:

  • apt-get update
  • apt-get install -y openssh-client openssl git
  • mkdir -p ~/.ssh
  • echo $SSH_PRIVATE_KEY
  • echo -e $SSH_PRIVATE_KEY > ~/.ssh/id_rsa

    - echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa

  • chmod 600 ~/.ssh/id_rsa

    the private key is definitely loaded:

    • echo $SSH_PRIVATE_KEY

      ---

But i get this error:

• mkdir -p ~/.cargo
• touch ~/.cargo/config
• echo "[net]" >> ~/.cargo/config
• echo "git-fetch-with-cli = true" >> ~/.cargo/config
• PATH=/root/.cargo/bin:$PATH cargo build --release --bin law --features cli Updating crates.io index Updating git repository ssh://my.host:222/Repo/package Warning: Permanently added '[my.host]:222,[my.host.ip]:222' (ECDSA) to the list of known hosts. Load key "/root/.ssh/id_rsa": invalid format root@my.host: Permission denied (publickey). fatal: Could not read from remote repository.

the key is definitely the correct key

Any help is much appreciated, this is affecting a lot :(