GitHub Actions Checkout Load Key Permission Denied

1.3k views Asked by At

I am trying to checkout a repo using an ssh key because https authentication fails due to our firewall settings original question about getting https authentication working with a firewall that injects it's own certificate into the chain

I was able to get this working previously, but the service was running as an elevated user. We are setting up a new server, and I'm trying to get things running in a more standard way with everything running as the network service user as suggested by github-actions runners documentation.

It is failing on the checkout step

- uses: actions/checkout@v3
      with:
        lfs: true
        ssh-key: ${{secrets.my_private_ssh_key}}

In the log it shows that it failed to load the key

Load key "C:\\actions-runner\\_work\\_temp/d872e64c-0228-457f-9bfa-f9c01b1818ec": Permission denied
  [email protected]: Permission denied (publickey).
  Error: fatal: Could not read from remote repository.

I've seen a lot of info on things related to [email protected]: Permission denied, but I haven't found a lot of information about permission being denied when it comes to loading the key.

The one thing I did find is that a Load Key Permission Denied error is typically because the user doesn't have read access to the ssh key?

If I'm understanding the checkout action correctly, it copies the ssh key to to .ssh folder of the user account so that it can use that SSH key.

For the NetworkService account that should be C:\Windows\ServiceProfiles\NetworkService\.ssh if I go to that folder, the .ssh folder has been created, so it looks like at least an attempt was made to copy the SSH key into that folder, and I'm guessing the key is deleted out when the action is complete, so it may have been there and then deleted because the .ssh folder is empty.

Why would the network service account not have permissions for a file that it wrote out in the first place?
Or is it possibly some other permission that is failing?

Can the ssh-key option work with the network service account?

Or is it possible to specify to use SSH, but not pass in the key as a secret, and instead just have the private key stored on our self-hosted runner?

Update:

I found another warning in the cleanup step for checkout@v3:

Warning: Failed to remove SSH key 'C:\actions-runner\\_work\\_temp\264e2651-1faf-44c3-9fa5-16a842f0d2a4'

but in the original setup it appears that the ssh key is getting setup without warnings or errors

::save-state name=sshKeyPath::C:\actions-runner\\_work\\_temp\264e2651-1faf-44c3-9fa5-16a842f0d2a4
##[debug]Save intra-action state sshKeyPath = C:\actions-runner\\_work\\_temp\264e2651-1faf-44c3-9fa5-16a842f0d2a4
processed file: C:\actions-runner\\_work\\_temp\264e2651-1faf-44c3-9fa5-16a842f0d2a4
Successfully processed 1 files; Failed processing 0 files

Looking through the debug log of the checkout action, it looks like the SSH key is copied to a temp directory and then full permissions are given to the computer account domain\computer-name$ and those steps appear to be finishing normally, so it's unclear why when the SSH key is attempted to be loaded that it fails because of permission denied.

1

There are 1 answers

3
VonC On
C:\Windows\ServiceProfiles\NetworkService\.ssh 

That would be typical of a service running as "Local System Account"

Considering such a service has other paths for its data, check if persisting the SSH key in C:\WINDOWS\ServiceProfiles\LocalService\.ssh or C:\WINDOWS\system32\config\systemprofile\.ssh would help.

Meaning even if the key is deleted out when the action is complete, it might persists in (or be restored from) this other folders.