Setting up SSH keys for github private repo access on Elastic Beanstalk

Question

My Node.JS project contains references to private NPM repos hosted on github. This works fine locally, but I'm struggling to get this working on Elastic Beanstalk.

dependencies: {
  ...
  "express": "^4.12.4",
  "jsonwebtoken": "^5.0.5",
  "my-private-module": "git@github.com:<my-user>/<my-repo>.git#<my-version>",
  ...
}

-

What I need is to be able to set up a working SSH configuration for git on my Elastic Beanstalk instances, without having to store secret keys etc in source control.

Obviously, the EB instances do not have the needed SSH keys to access my private github repos. If I use HTTPS style git URL's with username:password@github.com inlined, it works fine. It also works using the oauth token method offered by github (which is essentially a user:pass). But I do not want any credentials to be checked in to source control, so I'm trying to get cloning from github to work via SSH on my EB instances.

I've tried a million ways, including npm preinstall scripts according to this blog post, which used to work until npm2 where a change made preinstall to run after the tree is built, and the PR to fix that issue is still pending.

I've tried an .ebextensions commands configuration that tries to call git config to place an insteadof on git@github.com into a HTTPS URL with an OAUTH token coming from an environment variable (tricky in itself since env variables aren't set at this time in the startup cycle, and the lack of $HOME makes git config confused).

I've also tried various different ways using .ebextensions to setup SSH on my EB instances, including this solution from the comments on the mentioned blog post. This is basically where I'm stuck now.

• I have successfully created a key pair, set it up on my github profile, and verified that the private key is usable from my local client to clone my repo
• I have put my private key and a ssh config file on a private S3 bucket
• I've created an .ebextensions files configuration which copies these two files from my S3 bucket into /tmp/.ssh/, according to this example
• I've created a debug commands .ebextensions configuration which lists /tmp/.ssh and shows that the files were downloaded from S3 successfully:

/tmp/.ssh/config contains:

Host github.com
    IdentityFile /tmp/.ssh/deploy_key
    IdentitiesOnly yes
    UserKnownHostsFile=/dev/null
    StrictHostKeyChecking no

/tmp/.ssh/deploy_key contains my private key which is verified to work locally.

However, git still throws an error:

npm ERR! Command failed: git clone --template=/tmp/.npm/_git-remotes/_templates --mirror ssh://git@github.com/[.....]
npm ERR! Cloning into bare repository '/tmp/.npm/_git-remotes/git-ssh-git-github-com-[...]
npm ERR! Host key verification failed.
npm ERR! fatal: Could not read from remote repository.
npm ERR! 
npm ERR! Please make sure you have the correct access rights
npm ERR! and the repository exists.

I am now running out of ideas. My best guess would be that /tmp/.ssh is not the path where git goes to look for the ssh config file - it might have been when the linked solution was proposed but might have changed in later AMI:s etc. The environment used when EB is starting up seems to be a bit limited; commands are run as user nodejs but /tmp seems to be used as the home directory, even though $HOME is not set anywhere.

How can I get git to pick up my SSH config, and consequently use my SSH key? How can I find out where git looks for a SSH config file? Normally it's in ~/.ssh, but since $HOME is not set, well... This should be easy but is driving me nuts.

Answer 1

After a full day's struggle and finally stumbling over this answer to a very similar question I had previously missed, it turns out the correct place to put ssh keys in order to be picked up by git on EB is in /root/.ssh, not /tmp/.ssh, not /home/ec2-user/.ssh.

My final configuration (assuming there's a private SSH key located in a S3 bucket at <my-bucket>/github-eb-key, and the corresponding public key is registered with a github user having access to the repo(s)), using an AMI configured as 64bit Amazon Linux 2016.09 v3.3.0 running Node.js, and with the following in .ebextensions/01_ssh_setup.config:

Resources: 
  AWSEBAutoScalingGroup: 
    Metadata: 
      ? "AWS::CloudFormation::Authentication"
      : 
        S3Auth: 
          buckets: 
            - <my-bucket>
          roleName: 
            ? "Fn::GetOptionSetting"
            : 
              DefaultValue: aws-elasticbeanstalk-ec2-role
              Namespace: "aws:asg:launchconfiguration"
              OptionName: IamInstanceProfile
          type: s3
files: 
  /root/.ssh/github-eb-key: 
    authentication: S3Auth
    mode: "000600"
    owner: root
    group: root
    source: "https://s3-eu-west-1.amazonaws.com/<my-bucket>/github-eb-key"
  /root/.ssh/config: 
    mode: "000600"
    owner: root
    group: root
    content: |
      Host github.com
        IdentityFile /root/.ssh/github-eb-key
        IdentitiesOnly yes
        UserKnownHostsFile=/dev/null
        StrictHostKeyChecking no