Deploy Private Repo on Amplitude
Summary
Using AWS Amplify to deploy a multi-repo dendron wiki (what you are currently reading) with a mix of public and private repositories.
Context
You can configure Amplify for one repo. If you wish to programatically pull in additional private git repositories, you'll need a custom setup.
Solution
-
Create a custom deploy key for the private repo in github
- generate the key
ssh-keygen -f deploy_key -N ""
-
Encode the deploy key as a base64 encoded env variable for amplitude
cat deploy_key | base64 | tr -d \\n
- add this as a hosting environment variable (eg. DEPLOY_KEY)
-
Modify the
amplify.yml
file to make use of the deploy key- there's 2 key steps
- adding deploy key to
ssh-agent
- WARNING: this implementation will print the
$DEPLOY_KEY
tostdout
- WARNING: this implementation will print the
- disabling
StrictHostKeyChecking
- NOTE: amplify does not have a
$HOME/.ssh
folder by default so you'll need to create one as part of the deployment process
- NOTE: amplify does not have a
- adding deploy key to
- relevant excerpt below
- ... - eval "$(ssh-agent -s)" - ssh-add <(echo "$DEPLOY_KEY" | base64 -d) - echo "disable strict host key check" - mkdir ~/.ssh - touch ~/.ssh/config - 'echo -e "Host *\n\tStrictHostKeyChecking no\n\n" > ~/.ssh/config' - ...
- full build file here
- there's 2 key steps
Now you should be able to use git to clone the private repo.
Gotchas
- strict host key checking will cause amplitude to fail when pulling from amplitude
$HOME/.ssh
folder does not exit in regular amplify container- gitlab doesn't support
ed25519
encryption gitlab - when trying to repro on mac, the following will fail because the piped file descriptor is deemed to have insufficient permissions...
ssh-add <(echo "$DEPLOY_KEY" | base64 -d) # results in ssh-agent + Permissions 0660 for '/dev/fd/11' are too open
- workaround is to use
echo "${SSH_PRIVATE_KEY}" | ssh-add -
gitlab
- workaround is to use
Troubleshooting
Permission Denied
git@github.com: Permission denied (publickey).\r
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
In my case, this was because no valid deploy key was there
Host key verification failed
Host key verification failed.\r
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
In my case, this was because of StrictHostKeyChecking
Alternatives
Not Tried
- Using a github token instead of ssh
- Building a custom container image with keys embedded
Lookup
Internet
- Fetching Private Submodules in AWS Amplify Build
- Add Amplify deploy key to multiple github repositories
- Gitlab issue
Dendron
- Internal Investigation
- Service Providers
- SSH