ssh-keyscan doesn’t collect ec2 instance public keys in GitLab job

I work on GitLab ci/cd pipeline that should deploy docker containers to AWS ec2 instance. I’m trying to implement approach described here and one of my jobs is being failed because ssh-keyscan <ip> doesn’t work.
My pipeline looks like that:

...
deploy-to-staging:
    image: docker:20.10.14
    stage: deploy to staging
    needs: ["docker-stuff"]
    before_script:
        - 'command -v ssh-agent >/dev/null || ( apt-get update -y && apt-get install openssh-client -y )'
        - eval $(ssh-agent -s)
        - echo "$SSH_PRIVATE_KEY" | tr -d '\r' | ssh-add -
        - mkdir -p ~/.ssh
        - chmod 700 ~/.ssh
        - ssh-keyscan $EC2_IP >> ~/.ssh/known_hosts
        - chmod 644 ~/.ssh/known_hosts
...

It fails at - ssh-keyscan $EC2_IP >> ~/.ssh/known_hosts line with ERROR: Job failed: exit code 1.

My GitLab varables:

  • SSH_PRIVATE_KEY – EC2 key-pair private key of .pem format
  • EC2_IP – Public IPv4 DNS

I’ve tried ssh-keyscan <ipv4 DNS or IP> locally and it works. I’ve also tried it on separate ubuntu ec2 instance and it has no output.

Any help would be appreciated.

Leave a Reply

Your email address will not be published.