Docs enahncement needed - invalid format of private key

[yod527]

Hello and thanks for your work!

Trying to launch my playbook, but getting private key error.

     - name: Deploy job
        uses: arillso/[email protected]
        with:
          playbook: deploy.yml
          inventory: ansible_hosts.yml
          private_key: ${{ secrets.MY_KEY }}
          extra_vars: foo=${{ github.event.inputs.bar }}
        env:
          ANSIBLE_HOST_KEY_CHECKING: 'false'
          ANSIBLE_DEPRECATION_WARNINGS: 'false'

Getting next error:

fatal: [server]: UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the host via ssh: load pubkey \"/tmp/privateKey666997994\": invalid format\r\nkex_exchange_identification: Connection closed by remote host\r\nConnection closed by UNKNOWN port 65535", "unreachable": true}

Just not getting, what am I doing wrong.. How do I need to pass the private key correctly?

Thanks

[sbaerlocher]

Hello @yod527

The SSH key in the action is correct in your example. The SSH key in the secrets should start with -----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----. After that there should be an empty line. Otherwise try to start the action in debug mode to get more details displayed.

[yod527]

@sbaerlocher adding extra space before-----END RSA PRIVATE KEY----- doesn't help at all, unfortunately.

However, I found out my issue. I'm connecting to my instances via ssh-proxy, which is specified in the inventory file:

inventory.yml:

all:
  vars:
    # Connection via bastion host
    ansible_ssh_common_args: >-
        -o StrictHostKeyChecking=no
        -o ProxyCommand="ssh -o StrictHostKeyChecking=no \
                             -W %h:%p user@address"

// ..... //

and that leads to the next errors:

Failed to connect to the host via ssh: OpenSSH_8.3p1, OpenSSL 1.1.1g  21 Apr 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname <private_ip> is address
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: auto-mux: Trying existing master
debug1: Control socket \"/github/home/.ansible/cp/c55e6b6b5a\" does not exist
debug1: Executing proxy command: exec ssh -o StrictHostKeyChecking=no \\\\
-W <private_ip>:22 user@<public_ip>
debug3: timeout: 10000 ms remain after connect
load pubkey \"/tmp/privateKey853221895\": invalid format
debug1: identity file /tmp/privateKey853221895 type -1
debug1: identity file /tmp/privateKey853221895-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.3
Warning: Permanently added '<public_ip>' (ECDSA) to the list of known hosts.
ubuntu@<public_ip>: Permission denied (publickey).
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

If I try to remove the bastion host and connect to instances directly, by public IP address everything works fine.

Also, I found a similar issue https://github.community/t/invalid-format-permission-denied-publickey/17342 and the answer is to use public IP address or install GitHub action in my network, which does not sound like a solution for me.

P.S. From my local machine, connecting to instances via proxy does not cause any issues, and works just fine.

[Goffen]

I also had this problem. I needed to set StrictHostKeyChecking=no in ansible_ssh_common_args.

Then apparently it does not need to find public key.

[samuelp-mw]

Hello,

I am exactly in the same use case you described @yod527.
I am trying to run the ansible playbook via a bastion host (servers behind being configured with the same private key). This is working perfectly when I start the ansible playbook locally or without a bastion host, unfortunately I still do not manage to make it run via a bastion host with the Github Action.
@yod527 Did you manage to make it work in your case?

I tried to disable the strict host key checking as you mentioned @Goffen, but without success for now unfortunately.

The connection to the bastion host seems to succeed as I get "Connection established." after seeing "Connecting to [ip-bastion] port 22". The last error available in the logs is :
read_passphrase: can't open /dev/tty: No such device or address\r\nHost key verification failed.\r\nkex_exchange_identification: Connection closed by remote host\r\nConnection closed by UNKNOWN port 65535
I am not sure what to think about this but I guess the servers behind the bastion host are requesting a passphrase because no matching private key could be found before (the ssh key does not seem to be tested/given when trying to SSH from the bastion host to the servers behind..?). My conclusion may be wrong but that s the only thing I could think of so far. Does this action run a ssh agent with the given private key automatically?

My initial SSH configuration was like this one : I then deleted the IdentityFile lines (which are temporary files with variable naming when playing the action) and instead added the key to the ssh agent when running locally. This still works locally but I still did not manage to make it work with Github Actions.

Host bastion
  Hostname x.x.x.x
  User x
  IdentityFile ~/.ssh/key.pem
  ProxyCommand none

Host x.x.x.*
  User x
  IdentityFile ~/.ssh/key.pem
  ProxyJump bastion

Do you have any idea or suggestion about a potential origin of the issue?
Thanks for your work! I have tested it without bastion host and this works perfectly for me.

[SidorelaSuli]

@samuelp-mw Facing exactly the same issue, and not able to find a workaround to make it work in Gitlab. Have you found any solutions maybe?

[m0ppers]

for me this is broken as well. no idea what is going on. my workaround is simply to echo "${{ secrets.MY_PRIVATE_KEY }}" > private-ssh-key

and then instead of using the private_key property I pass

extra_vars: 'ansible_ssh_private_key_file=private-ssh-key to this action

works for me 😵‍💫