GitHub Action to push commits to AWS CodeCommit: Host key verification failed

2.5k Views Asked by At

I'm trying to create a GitHub Action that pushes any commits to an AWS CodeCommit repo. For this, I'm using a workflow with a single main.yml file using the composite run steps action method for creating a GitHub Action. This is what the Action looks like:

name: CI
on:
  push:
    branches: [ master ]
jobs:
  codecommit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: pushes to codecommit
        env:
          CODECOMMIT_URL: ${{ secrets.CODECOMMIT_URL }}
          HOST_KEY: ${{ secrets.HOST_KEY }}
          SSH_CONFIG: ${{ secrets.SSH_CONFIG }}
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
        shell: bash
        run: |
          mkdir .ssh && cd .ssh && echo "$SSH_PRIVATE_KEY" > id_rsa && chmod 600 id_rsa
          echo "$SSH_CONFIG" > config && chmod 600 config
          echo "$HOST_KEY" > known_hosts && chmod 600 known_hosts && cd ..
          git remote add codecommit "$CODECOMMIT_URL"
          git push codecommit master --force

Breaking this down:

on:
  push:
    branches: [ master ]

Whenever changes are pushed to the master branch...

jobs:
  codecommit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2

Run a single job called codecommit that first checks out the code in the repo and makes it available in the runner's file system.

      - name: push to codecommit
        env:
          CODECOMMIT_URL: ${{ secrets.CODECOMMIT_URL }}
          HOST_KEY: ${{ secrets.HOST_KEY }}
          SSH_CONFIG: ${{ secrets.SSH_CONFIG }}
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
        shell: bash

Run a single step called push to codecommit with some environment variables, CODECOMMIT_URL, HOST_KEY, SSH_CONFIG, and SSH_PRIVATE_KEY. These are:

CODECOMMIT_URL: the ssh url for the CodeCommit repo.

HOST_KEY: the result of running ssh-keyscan -t rsa github.com to get the host key for the GitHub repo.

SSH_CONFIG: This is the git config to be used for git:

Host git-codecommit.*.amazonaws.com
  User {SSH Username here}
  IdentityFile .ssh/id_rsa
  StrictHostKeyChecking no

SSH_PRIVATE_KEY: the private key that goes inside id_rsa.

        run: |
          mkdir .ssh && cd .ssh && echo "$SSH_PRIVATE_KEY" > id_rsa && chmod 600 id_rsa

Run a series of commands, and start by making a directory called .ssh, entering this directory, and creating a file id_rsa that is accessible by the system. This file contains the private SSH key.

echo "$SSH_CONFIG" > config && chmod 600 config

Save the SSH config to a file called config and give the system access rights to this file.

echo "$HOST_KEY" > known_hosts && chmod 600 known_hosts && cd ..

Save the host key into a file called known_hosts, give the system access rights to this file, and then navigate back to the root directory for the repo.

git remote add codecommit "$CODECOMMIT_URL"
git push codecommit master --force

Add the CodeCommit URL as a remote for git, and attempt to push to this remote.

It looks like CodeCommit is still not recognizing GitHub as verified. I get this response from running this Action:

Host key verification failed.
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Am I missing something in this configuration?

2

There are 2 best solutions below

0
On

Thank you for your question, it helped a lot.

I had a Permission denied experience that I could not resolve. So basically I tried to run a docker and test it. And in my experience, I had to use Note 4 from https://docs.aws.amazon.com/codecommit/latest/userguide/setting-up-ssh-unixes.html.

So I replaced

git clone ssh://git-codecommit.us-east-2.amazonaws.com/v1/repos/MyDemoRepo my-demo-repo

by

git clone ssh://[email protected]/v1/repos/MyDemoRepo my-demo-repo
0
On

Shouldn't you be doing:

$ ssh-keyscan -H git-codecommit.<region>.amazonaws.com 

... and then adding the result to:

~/.ssh/known_hosts