Automated project setup using SSH?

Hi all,

So I had a little tool that our PA could just type a project name into and then it would both create the project in shotgrid and then download the config into it to actually set it up. This was working beautifully. Now that Atlassian have changed authenticating when using git with bitbucket, it no longer works (in theory I could set up an app password, but if I do it then forces me to set up TFA, which is both undesriable for us and potentially impossible as we don;t have access to the email address that set up the bitbucket account).

SSH seems the best way to deal with the issue, but I was having troubles suppressing the need for the password to be entered all the time, I got round this for cloning from the command line by editing my .bashrc as per some info online, but when trying to run my little tool, it just gets stuck and hangs every time.

Here’s the end of the (sanitised) Shotgrid console output:

2022-03-22 19:38:22,528 [   DEBUG] [PROXY] Return code: 128
2022-03-22 19:38:22,533 [   DEBUG] [PROXY] Process stdout/stderr:
2022-03-22 19:38:22,539 [   DEBUG] [PROXY] git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

2022-03-22 19:38:22,546 [   DEBUG] [PROXY] Subprocess call failed.
2022-03-22 19:38:22,552 [   DEBUG] [PROXY] Executing command 'git clone --no-hardlinks -q "git@bitbucket.org:USERNAME/CONFIGNAME.git" "c:\users\NAME\appdata\local\temp\sgtk_clone_54c8dbc4cf9149d99de8e34dc4c2ca1f"' using os.system
2022-03-22 19:38:22,561 [   DEBUG] [PROXY] Note: in a terminal environment, this may prompt for authentication

It wouldn’t be the end of the world if it did pop up a prompt requiring the SSH password, but it doesn’t even do that, just hangs.

I’m not really sure what to do, as it’s denying me permission, even though the keys are fine and all good on the command line. I only see that same error on the command line if I do what people say to do to persist not having to put in your SSH password all the time, which is to have your SSH config command (or GIT_SSH env variable) point to C:/Windows/System32/OpenSSH/ssh.exe.

I’ve never used SSH previously and certainly not in relation to anything Shotgrid, so I’m hoping I’m missing some simple fix. Has anyone run into anything similar and has any ideas how I can get round this? Thanks very much.

How is your ~/.ssh/config setup?
Has the ssh key been added to the ssh-agent?

Hmm, I don’t appear to actually have any file called ~/.ssh/config. I’ve never touched anything ssh other than for this, should I have been a config file? in ~/.ssh all I have is my key, my public part of the key, agent.env and known_hosts.

The key has been added to ssh-agent, yes.

Ah in that case its your only key and you dont need a config file perse.

config file is for directing specific keys for specific hosts if you have many keys.

Can you try running the same command in a command line to see what it comes up with next?

So the command that Shotgird seems to be kicking off to do the clone, and what is breaking is:

git clone --no-hardlinks -q "git@bitbucket.org:USERNAME/CONFIGNAME.git" "c:\users\NAME\appdata\local\temp\sgtk_clone_54c8dbc4cf9149d99de8e34dc4c2ca1f"

If I put the exact same thing into the command line (renaming the clone-to location as Shotgrid makes the folder before failing), it’s totally fine. So I’m guessing Shotgrid isn’t picking up on the key properly the way command line/bash is, or it’s trying to pop up the ssh ‘enter your password’ prompt, but failing to and that’s making it hang?

Is your key password protected?
You cant use a password protected key this way.

For SG to use your ssh key you need the key to have no password set.

The thing is that the setup does not take place in an interactive session, and thus nothing handles the password prompt.
Either as Ricardo suggested make a passwordless key, or try an https url instead of git@. Maybe this requires the repo to be public. Not sure, haven’t played with bitbucket too much.

Thanks very much @Ricardo_Musch, I didn’t know I didn’t have to password the key! Obviously it’s rather less secure to not have it passworded, but I think in our usecase it’s not the end of the world.

@mmoshev as I said, I can’t use https any more since Atlassian changed security to connect to bitbucket, it’s SSH or a TFA authentication system that wouldn’t work for us.