Console
    Contact Us Start free

    Accessing GitHub from a build via SSH keys

    This tutorial demonstrates how to use Secret Manager with Cloud Build to access private GitHub repositories from a build. Secret Manager is a Google Cloud service that securely stores API keys, passwords, and other sensitive data.

    Objectives

    • Set up a GitHub SSH key.
    • Add the public SSH key to a private repository's deploy keys.
    • Store the private SSH key in Secret Manager.
    • Submit a build that accesses the key from Secret Manager and uses it to access the private repository.

    Costs

    In this document, you use the following billable components of Google Cloud:

    • Secret Manager
    • Cloud Build

    To generate a cost estimate based on your projected usage, use the pricing calculator .

    New Google Cloud users might be eligible for a free trial .

    Before you begin

    1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

    2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

      Go to project selector

    3. Verify that billing is enabled for your Google Cloud project .

    4. Enable the Cloud Build and Secret Manager APIs.

      Enable the APIs

    5. Install the Google Cloud CLI.

    6. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

    7. To initialize the gcloud CLI, run the following command:

      gcloud  
init

    8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

      Go to project selector

    9. Verify that billing is enabled for your Google Cloud project .

    10. Enable the Cloud Build and Secret Manager APIs.

      Enable the APIs

    11. Install the Google Cloud CLI.

    12. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity .

    13. To initialize the gcloud CLI, run the following command:

      gcloud  
init
    14. Optional. Complete the Secret Manager quickstart to become familiar with this product.

    Create a SSH key

    1. Open a terminal window.

    2. Create a new directory named workingdir and navigate into it:

       mkdir workingdir
cd workingdir

    3. Create a new GitHub SSH key, where github-email is your GitHub email address:

       ssh-keygen -t rsa -b 4096 -N '' -f id_github -C github-email

      This command creates a new SSH key workingdir/id_github without a passphrase for your SSH key. Cloud Build cannotuse your SSH key if it is protected with a passphrase.

    Store the private SSH key in Secret Manager

    When you create an SSH key , an id_github file is created in your environment. Because anyone can authenticate to your account with this file, you must store the file in Secret Manager before using it in a build.

    To store your SSH key in Secret Manager, do the following:

    1. Go to the Secret Manager page in the Google Cloud console:

      Go to the Secret Manager page

    2. On the Secret Managerpage, click Create Secret.

    3. On the Create secretpage, under Name, enter a name for the secret.

    4. In the Secret valuefield, click Uploadand upload your workingdir/id_github file.

    5. Leave the Regionssection unchanged.

    6. Click the Create secretbutton.

    This will upload your id_github file to Secret Manager.

    Add the public SSH key to your private repository's deploy keys

    1. Login to GitHub .

    2. In the upper-right corner, click your profile photo, then click Your profile.

    3. On your profile page, click Repositories, then click the name of your repository.

    4. From your repository, click Settings.

    5. In the sidebar, click Deploy Keys, then click Add deploy key.

    6. Provide a title, paste your public SSH key from workingdir/id_github.pub .

    7. Select Allow write accessif you want this key to have write access to the repository. A deploy key with write access lets a deployment push to the repository.

    8. Click Add key.

    9. Delete the SSH key from your disk:

       rm id_github*

    Grant permissions

    You must grant permission to access Secret Manager to the service account you are using for the build.

    1. In the Google Cloud console, go to the Cloud Build Permissions page:

      Go to Permissions

    2. From the drop-down list, select the service account whose roles you want to change.

    3. Set the status of the Secret Manager Secret Accessor role to Enable.

    Add the public SSH key to known hosts

    Most machines contain a file named known_hosts , which contains known keys for remote hosts. The keys are often collected from the remote hosts when connecting to them for the first time, but they can also be added manually. The keys in this file are used to verify the identity of the remote host and protect against impersonation.

    For Cloud Build to connect to GitHub, you must add the public SSH key to the known_hosts file in Cloud Build's build environment. You can do this by adding the key to a temporary known_hosts.github file, and then copying the contents of known_hosts.github to the known_hosts file in Cloud Build's build environment.

    In your workingdir directory, create a file named known_hosts.github and add the public SSH key to this file:

     ssh-keyscan -t rsa github.com > known_hosts.github

    In the next section when you configure the build, you'll add instructions in the Cloud Build config file to copy the contents of known_hosts.github to the known_hosts file in Cloud Build's build environment.

    Configure the build

    To configure the build:

    1. Create a build config file named cloudbuild.yaml with two steps: the first gcloud step accesses the SSH key in Secret Manager and saves it as id_rsa in a volume named ssh , along with a copy of the known_hosts.github . The volume is used to persist files across the build steps. The second git step uses the key in id_rsa to connect to the repository at git@github.com: git-username / git-repository .

        # 
  
 Access 
  
 the 
  
 id_github 
  
 file 
  
 from 
  
 Secret 
  
 Manager 
 , 
  
 and 
  
 setup 
  
 SSH 
 steps 
 : 
 - 
  
 name 
 : 
  
 'gcr.io/cloud-builders/git' 
  
 secretEnv 
 : 
  
 [ 
 'SSH_KEY' 
 ] 
  
 entrypoint 
 : 
  
 'bash' 
  
 args 
 : 
  
 - 
  
 - 
 c 
  
 - 
  
 | 
  
 echo 
  
 "$$SSH_KEY" 
 >> 
 / 
 root 
 / 
 . 
 ssh 
 / 
 id_rsa 
  
 chmod 
  
 400 
  
 / 
 root 
 / 
 . 
 ssh 
 / 
 id_rsa 
  
 cp 
  
 known_hosts 
 . 
 github 
  
 / 
 root 
 / 
 . 
 ssh 
 / 
 known_hosts 
  
 volumes 
 : 
  
 - 
  
 name 
 : 
  
 'ssh' 
  
 path 
 : 
  
 / 
 root 
 / 
 . 
 ssh 
 # 
  
 Clone 
  
 the 
  
 repository 
 - 
  
 name 
 : 
  
 'gcr.io/cloud-builders/git' 
  
 args 
 : 
  
 - 
  
 clone 
  
 - 
  
 --recurse-submodules 
  
 - 
  
 git 
 @github 
 . 
 com 
 : 
  GIT_USERNAME 
 
 / 
  GIT_REPOSITORY 
 
  
 volumes 
 : 
  
 - 
  
 name 
 : 
  
 'ssh' 
  
 path 
 : 
  
 / 
 root 
 / 
 . 
 ssh 
 availableSecrets 
 : 
  
 secretManager 
 : 
  
 - 
  
 versionName 
 : 
  
 projects 
 / 
  PROJECT_ID 
 
 / 
 secrets 
 / 
  SECRET_NAME 
 
 / 
 versions 
 / 
 latest 
  
 env 
 : 
  
 'SSH_KEY'

    Replace the placeholder values in the above commands with the following:

    • GIT_USERNAME : The GitHub username of the repository owner.
    • GIT_REPOSITORY : The name of the GitHub repository you want to access.
    • PROJECT_ID : The ID of the Google Cloud project where you've stored your secrets.
    • SECRET_NAME : The name of the secret you created in Secret Manager.

    To learn about YAML multiline strings used in the snippet above, see YAML multiline .

    Submit the build

    To submit the build, run the following command:

     gcloud builds submit --config=cloudbuild.yaml .

    The output is similar to the following:

      Creating 
  
 temporary 
  
 tarball 
  
 archive 
  
 of 
  
 3 
  
 file 
 ( 
 s 
 ) 
  
 totalling 
  
 4.1 
  
 KiB 
  
 before 
  
 compression 
 . 
 Uploading 
  
 tarball 
  
 of 
  
 [ 
 . 
 ] 
  
 to 
  
 [ 
 gs 
 : 
 // 
 [ 
 PROJECT 
 - 
 ID 
 ] 
 _cloudbuild 
 / 
 source 
 / 
 1504288639.02 
 ---. 
 tgz 
 ] 
 Created 
  
 [ 
 https 
 : 
 // 
 cloudbuild 
 . 
 googleapis 
 . 
 com 
 / 
 v1 
 / 
 projects 
 / 
 [ 
 PROJECT 
 - 
 ID 
 ] 
 / 
 builds 
 / 
 871 
 b68bc 
 --- 
 ] 
 . 
 Logs 
  
 are 
  
 available 
  
 at 
  
 [ 
https://console.cloud.google.com/ cloud 
 - 
 build 
 / 
 builds 
 / 
 871 
 b68bc 
 --- 
 ? 
 project 
 = 
 [ 
 PROJECT 
 - 
 ID 
 ]] 
 . 
 
     
  
 REMOTE 
  
 BUILD 
  
 OUTPUT 
  
 
     
 starting 
  
 build 
  
 "871b68bc-cefc-4411-856c-2a2b7c7d2487" 
 FETCHSOURCE 
 Fetching 
  
 storage 
  
 object 
 : 
  
 gs 
 : 
 // 
 [ 
 PROJECT 
 - 
 ID 
 ] 
 _cloudbuild 
 / 
 source 
 / 
 1504288639.02 
 ---. 
 tgz 
 #1504288640827178 
 Copying 
  
 gs 
 : 
 // 
 [ 
 PROJECT 
 - 
 ID 
 ] 
 _cloudbuild 
 / 
 source 
 / 
 1504288639.02 
 ---. 
 tgz 
 #1504288640827178... 
 / 
  
 [ 
 1 
  
 files 
 ][ 
  
 3.9 
  
 KiB 
 / 
  
 3.9 
  
 KiB 
 ] 
 Operation 
  
 completed 
  
 over 
  
 1 
  
 objects 
 / 
 3.9 
  
 KiB 
 . 
 BUILD 
 Step 
  
 #0: Already have image (with digest): gcr.io/cloud-builders/gcloud 
 Starting 
  
 Step 
  
 #0 
 Finished 
  
 Step 
  
 #0 
 Step 
  
 #1: Already have image (with digest): gcr.io/cloud-builders/git 
 Starting 
  
 Step 
  
 #1 
 Step 
  
 #1: # github.com SSH-2.0-libssh_0.7.0 
 Finished 
  
 Step 
  
 #1 
 Step 
  
 #2: Already have image (with digest): gcr.io/cloud-builders/git 
 Starting 
  
 Step 
  
 #2 
 Step 
  
 #2: Cloning into '[REPOSITORY-NAME]'... 
 Step 
  
 #2: Warning: Permanently added the RSA host key for IP address 'XXX.XXX.XXX.XXX' to the list of known hosts. 
 Finished 
  
 Step 
  
 #2 
 PUSH 
 DONE 
 
     
 ID 
  
 CREATE_TIME 
  
 DURATION 
  
 SOURCE 
  
 IMAGES 
  
 STATUS 
 871 
 b68bc 
 - 
 cefc 
 - 
 4411 
 - 
 856 
 c 
 - 
 2 
 a2b7c7d2487 
  
 XXXX 
 - 
 XX 
 - 
 XXT17 
 : 
 57 
 : 
 21 
 + 
 00 
 : 
 00 
  
 13 
 S 
  
 gs 
 : 
 // 
 [ 
 PROJECT 
 - 
 ID 
 ] 
 _cloudbuild 
 / 
 source 
 / 
 1504288639.02 
 ---. 
 tgz 
  
 - 
  
 SUCCESS

    Clean up

    To avoid incurring charges to your Google Cloud account for the resources used in this tutorial, either delete the project that contains the resources, or keep the project and delete the individual resources.

    Delete the project

    The easiest way to eliminate billing is to delete the project that you created for the tutorial.

    To delete the project:

    1. In the Google Cloud console, go to the Manage resources page.

      Go to Manage resources

    2. In the project list, select the project that you want to delete, and then click Delete .
    3. In the dialog, type the project ID, and then click Shut down to delete the project.

    Delete the deploy key from your repository

    1. On GitHub, navigate to the main page of the repository.

    2. Under your repository name, click Settings.

    3. In the left sidebar, click Deploy keys.

    4. On the Deploy keyspage, look for the deploy keys associated with your repository and click Delete.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: