Exec driver unable to clone private git repository


I’m unable to clone github private repository using exec driver for nomad batch job.

job "web_front" {
  datacenters = ["lab1"]
  type = "batch"
  periodic {
    cron             = "*/15 * * * * *"
    prohibit_overlap = true
  group "web" {
    task "example" {
    driver = "exec"

    config {
        command = "/bin/bash"
        args = [
        "-c", "ls local/repo"

    artifact {
      source = "git::git@github.com:example/sample.git"
      destination = "local/repo"
      options {
        sshkey = "${base64encode(file("~/.ssh/id_rsa"))}"

Error log from nomad ,

failed to download artifact "git::git@github.com:example/sample.git": getter subprocess failed: exit status 1

I can clone the same repo from my laptop using the same key , even it can be cloned from all other nomad agents as well.

public git clone via https works as expected.

Nomad version : v1.5.0
OS : Rocky 8.7

Hi @jamesarems I believe this should be fixed in artifact: git needs more files for private repositories by shoenig · Pull Request #16508 · hashicorp/nomad · GitHub


Upgraded to nomad version 1.5.1, Also upgraded OS to Rocky (RHEL) 9.1 x64.

Tested cloning with go-getter ,

go-getter git@gitlab.com:example/repo.git repo

and works perfect.

But its not working with nomad Jobs artifact yet.

While checking the Client logs got,

nomad1 nomad[5176]: 2023-03-18T18:36:07.948Z [ERROR] client.artifact: sub-process: OUTPUT="Host key verification failed."

Tried to follow the available solution found on the documentation but bit confused ,

artifact Block - Job Specification | Nomad | HashiCorp Developer - From the link it mentioned to run ssh-keyscan and place that as sshkey .

artifact {
  # The git:: prefix forces go-getter's protocol detection to use the git ssh
  # protocol. It can also automatically detect the protocol from the domain of
  # some git hosting providers (such as GitHub) without the prefix.
  source      = "git::git@bitbucket.org:example/nomad-examples"
  destination = "local/repo"
  options {
    # Make sure that the system known hosts file is populated:
    # ssh-keyscan github.com | sudo tee -a /etc/ssh/ssh_known_hosts
    # https://github.com/hashicorp/go-getter/issues/55
    sshkey = "${base64encode(file("/etc/ssh/ssh_known_hosts"))}"

In this case , how do I pass private ssh key ?
Git private clone part is not that clear in the documentation.

The official documentation seems wrong to me.

Why would one pass /etc/ssh/ssh_known_hosts as an SSH key?

Once you’ve run the command ssh-keyscan on the host that’s initiating the SSH connection, that should be sufficient to avoid the Host key verification error.

The sshkey parameter in your job specification should point to the actual private key that you want to use to authenticate against the server.