How to get install hook to have ssh pub key

I have a private git repository, which I can make a deploy SSH key authorized to read.

I see two SSH keys juju seems to talk about in the docs… one when you juju add-ssh-key ... and the key under your hosts .local/share/juju/ssh/

I’ve tried to add both my LXD hosts public key to the git repositorys deploy key AND the juju .local... key

neither seem to get a public key into any models or machines that I bring up… am I misunderstanding something ?

$ juju ssh-keys
Keys used in model: admin/default

from within a model

ubuntu@juju-60307e-3:~$ ls -la .ssh/
total 6
drwx------ 2 ubuntu ubuntu    4 Jun  4 21:56 .
drwxr-xr-x 6 ubuntu ubuntu   12 Jun  4 22:05 ..
-rw------- 1 ubuntu ubuntu 1554 Jun  4 21:52 authorized_keys
-rw-r--r-- 1 ubuntu ubuntu  884 Jun  4 21:56 known_hosts

the public key is indeed added via add-ssh-key to the authorized_keys … but where would I add keys (or can I) for when performing juju charm installations , setups, etc…

The juju add-ssh-key should work for you. This will add public keys into every unit of the model.

Some charms also provide the option to add SSH keys via their configuration or an action.

You shouldn’t need to add keys for these types of operations. Juju handles the authentication process on a per-user basis.

maybe then I need to clarify…

I have a host public key, where my LXD host is… and where my juju charm is being developed. I have given that machine access (READ / WRITE) via SSH Pub key in the linux ubuntu host… but I am unable to see where to inject that key so that the charms INSTALL hook can leverage the public key, and git clone the private repository… is it there and I am just not aware ? isn’t it supposed to copy keys into ~/.ssh/ ?


When inside a unit, I check for the active public key and it is not activated… nor can I find it within the model

Seems there are some keys here, but I wonder if it is the one under .local/ in the lxd host, it seems the key changes slightly inside the model to have the model id on it… and this is causing authentication issues with github I think

Would you not be able to have a separate ssh key or deployment key which you would then use for your use-case?

It feels like you are on a bit awkward path to deploy code with juju.

Here is perhaps a hint of a few ways to do this if your code repo is github.

I’d like to check if I understand the request.

What you want is to be able to deploy your charm, such that it gets the private-key for a known SSH credential, so that it can SSH to another machine and get access to git.
Things like “juju add-ssh-key” are all about adding a credential’s public key to the list of authorized keys. They aren’t about giving that machine/unit/model a private key to pretend to be you.

What you really want is a configuration item on a charm, which is a private key that it can use to connect to other machines. And then when you deploy the charm, you would supply that private key as part of “–config”. eg:

  juju deploy my-charm --config private-key="private-key"

You can also put the private key contents into a YAML config file something like:

  private-key: |

(In YAML, ‘|’ lets you represent a multiline string as just an indented block).

Given the size and sensitivity of private keys, and the fact that they are generally file content, it would also make sense to make the private key an optional ‘resource’ that you provide.
This functionally acts similar to config, except they are expected to be file content rather than strings. (inside the charm you call ‘resource-get name’ which will download the file from the Juju controller, and prints out the path-on-disk for the local copy of the file.)

Either way, it is some sort of configuration-of-the-charm, because you are dealing with private keys (since you are asking the application to pretend to be someone, not to allow someone you know to connect).

Does that help?


I found a temp work around for now, but this is exactly what i was after… in the end I want to pip install straight off the git repositories…otherwise I go down the path of needing to run a private pypi index or artifactory… in order for juju to be able to find the assets.

I think the private-key at deploy time is the right way for now, thank you!

1 Like