https://prefect.io logo
Join Slack
Powered by
<@ULVA73B9P> I'm using Prefect v3 self-hosted, run...
# marvin-ai
m
@Marvin I'm using Prefect v3 self-hosted, running a process worker. I'm trying to use the git_clone step to pull code from a private Git repository using an SSH key. The documentation says: "Clone a repository with an SSH key (note that the SSH key must be added to the worker before executing flows)." https://docs.prefect.io/v3/api-ref/python/prefect-deployments-steps-pull#git-clone But how can I do that?
m
thought for 282.9 seconds
Great question — that line in the docs can be confusing at first. Short version: the 
git_clone
step just shells out to 
git
in the runtime environment. It does not accept an SSH private key as a parameter. “The SSH key must be added to the worker” means the OS user that runs your Process worker must be able to use SSH to your Git host using standard Git/SSH mechanisms. Here are supported ways to “add the key to the worker” (pick one): 1) Put the key in the worker user’s ~/.ssh - Ensure your deployment uses an SSH URL (e.g., 
git@github.com:org/repo.git
). - Install the key for the user that runs `prefect worker start`:
Copy code
mkdir -p ~/.ssh && chmod 700 ~/.ssh
  # write your private key to id_ed25519 (or id_rsa)
  printf '%s\n' '-----BEGIN OPENSSH PRIVATE KEY----- ... -----END OPENSSH PRIVATE KEY-----' > ~/.ssh/id_ed25519
  chmod 600 ~/.ssh/id_ed25519

  # add your Git host to known_hosts (recommended)
  ssh-keyscan -t rsa,ecdsa,ed25519 <http://github.com|github.com> >> ~/.ssh/known_hosts
  chmod 644 ~/.ssh/known_hosts

  # test from the same user
  git ls-remote git@github.com:org/repo.git
- If that test works, 
git_clone
will work when your flow runs. 2) Use an SSH agent - Start an agent and add the key before starting the worker so the worker inherits `SSH_AUTH_SOCK`:
Copy code
eval "$(ssh-agent -s)"
  ssh-add /path/to/your/key
  prefect worker start --pool <your-pool>
3) Use GIT_SSH_COMMAND (no agent, key outside ~/.ssh) - Point Git to a specific key and known_hosts file via env vars when starting the worker:
Copy code
export GIT_SSH_COMMAND="ssh -i /secure/path/id_ed25519 -o IdentitiesOnly=yes -o UserKnownHostsFile=/secure/path/known_hosts -o StrictHostKeyChecking=yes"
  prefect worker start --pool <your-pool>
Notes and tips - File permissions matter: private keys must be 
chmod 600
or OpenSSH will refuse to use them. - Make sure 
known_hosts
is populated (using 
ssh-keyscan
or your org’s approved method) to avoid strict host key failures. - In Prefect 3.x, 
git_clone
does not accept an 
ssh_key
argument. The 
credentials
or 
access_token
parameters are for HTTPS-based auth; for SSH, rely on the worker’s SSH config. - Example 
prefect.yaml
pull step with SSH:
Copy code
pull:
    - prefect.deployments.steps.pull.git_clone:
        repository: "git@github.com:org/repo.git"
        branch: "main"
Docs for reference - git_clone step: https://docs.prefect.io/v3/api-ref/python/prefect-deployments-steps-pull#git-clone - Process worker concept: https://docs.prefect.io/v3/concepts/workers#process If you can share: - the OS the worker is running on - whether it’s run interactively or as a systemd/service user - whether you prefer not to write a key to disk (agent vs env var) …I can tailor exact setup commands (including a systemd unit example if you’re running it as a service).
2 Views
Open in Slack
PreviousNext
Powered by