Additional debugging reveals the following:

* The pipeline is building and deploying an Android APK

* It uses Triple-T/gradle-play-publisher (from GitHub)

* This requires a Google API key (set as a Repository Variable)

* The Repository Variable is a JSON string that contains a field named 'private_key'

* For whatever reason, even though the pipeline/step does not use this Repository Variable directly, the 'private_key' from this JSON string is set to

/opt/atlassian/pipelines/agent/ssh/id_rsa

* I have tried to take this 'private_key', generate the public key, and then set those as the SSH keys added to my repository and rerun the pipeline/step but I'm still getting a failure

Is there any way to mask a Repository Variable in a given pipeline/step?

What other troubleshooting/debugging steps should I take?

I'm able to modify the pipeline/step to print additional debugging information.

Thanks for responding

Hi @Michael Brizic

Yes, you can mask the variable's value by checking the Secured checkbox while setting up variable.
Variables in Pipelines - Atlassian Documentation

Are you still getting the SSH permission denied issue which initially mentioned?
What do you observe when you run the following command in your build?

 script:
    - whoami
    - echo $HOME

Would you also share us the docker image that you're using so that we can try reproduce on our end?

Regards,
Ronald 

whoami = root

$HOME = /root

Image = python:3.8.1

Also, when I asked if there was a way to "mask" a Repository Variable I meant, is there a way to make it not be processed or present for a given pipeline or step?

Again, the Repository Variable in questions is a JSON string which contains a 'private_key' and this is what the image is getting for the value in /opt/atlassian/pipelines/agent/ssh/id_rsa

Even when I take this same private_key, get the public key, and set it in the repository SSH keys (selecting Use My Own) it does not work.

@Ronald C_were you able to discern anything additional in support of my use case?

@Ronald C_is anyone doing additional research on this request?

Hi @Michael Brizic 

Sorry for the late reply as I was having other priority at home for the past weeks.

I've checked the docker image that you're using and it shouldn't be affecting the ssh authentication:

• Sample Build: https://bitbucket.org/r-comm/ssh-test/addon/pipelines/home#!/results/2
• I followed the documentation below to generate the SSH keys then add it as my repo's deploy key
  Use SSH keys in Bitbucket Pipelines - Atlassian Documentation

In regards to your question about masking the repository variables, you will need to tick the "Secured" checkbox when you create the variable.
Sample Image:

Once you created the "secured variables", Pipelines will check if the display output matches the variables' value.
If it matches, it will replace it with the variables name such as below:


Sample Build: https://bitbucket.org/r-comm/json-masking/addon/pipelines/home#!/results/1

As for the issue that you've encountered:

Again, the Repository Variable in questions is a JSON string which contains a 'private_key' and this is what the image is getting for the value in /opt/atlassian/pipelines/agent/ssh/id_rsa

Even when I take this same private_key, get the public key, and set it in the repository SSH keys (selecting Use My Own) it does not work

Would you give us an example of your configuration and the build output so that we can identify what's the issue that you're facing?

Regards,
Ronald

I've now gone to the point of removing the repository variable that I thought was causing the problem and letting Bitbucket generate my SSH keys and I'm doing a dirt simple pipeline like the example you gave. And still, errors.

Originally, I had this repository variable named: GOOGLE_API_KEY_JSON and a value of JSON:

{
"type": "service_account",
"project_id": "some-value-here",
"private_key_id": "private-key-id-value",
"private_key": "-----BEGIN PRIVATE KEY-----<private key contents here>-----END PRIVATE KEY-----\n",
"client_email": "email address here",
"client_id": "client-id-here",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "cert-url-here"
}

Note the "private_key" variable in the JSON above. When I would run the pipeline that private_key above is what would get set in the /opt/atlassian/pipelines/agent/ssh/id_rsa file.

So knowing this, I then tried to add the private key to my repository SSH Keys, but that still didn't work.

@Ronald C_do you have any additional help for me after my additional debugging information has been shared?

I know you've likely been busy but is anyone else available to inspect it?

Anyone have any updates ?