Jenkins Reports Permission Failure When Pulling Submodule via Git Plugin (Remote Repo Bitbucket)

Question

I've got a project in Bitbucket (cloud), which I'm building with Jenkins (hosted on-prem). The project has a submodule. If I ignore the submodule, the job (in Jenkins) succeeds. If I attempt to update the submodule, I get this love note:

stderr: Cloning into 'C:/Program Files (x86)/Jenkins/workspace/my.repository/lambda/messages'...
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.

The full job log with my SCM configuration is below for reference.

We're using an app-password in Bitbucket to access the repository.

Things I tried...

1. Update Git plugin to v4.1.1 - per Jenkins pipeline git command submodule update
2. Created a separate job to pull the submodule's repo using the same credentials. I was able to pull the repo from Jenkins using the same credentials as problematic job without issue.
3. Submodule is in the lambda/messages directory; that's correct

Contents of my project's .gitmodules file...

[submodule "lambda/messages"]
        path = lambda/messages
        url = git@bitbucket.org:myCompany/myRespository.git

Output from the Jenkins job...

Started by user myUser
Running as SYSTEM
Building in workspace C:\Program Files (x86)\Jenkins\workspace\Started by user myUser
Running as SYSTEM
Building in workspace C:\Program Files (x86)\Jenkins\workspace\myRespository
using credential Bitbucket
> git.exe rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
> git.exe config remote.origin.url https://myUser@bitbucket.org/myCompany/deco4-aws.git # timeout=10
Fetching upstream changes from https://myUser@bitbucket.org/myCompany/deco4-aws.git
> git.exe --version # timeout=10
using GIT_ASKPASS to set credentials Bitbucket App password for Jenkins
> git.exe fetch --tags --progress -- https://myUser@bitbucket.org/myCompany/deco4-aws.git +refs/heads/*:refs/remotes/origin/* # timeout=10
> git.exe rev-parse "refs/remotes/origin/master^{commit}" # timeout=10
> git.exe rev-parse "refs/remotes/origin/origin/master^{commit}" # timeout=10
Checking out Revision cecc872074937f981a9c593b931440b320b2ea32 (refs/remotes/origin/master)
> git.exe config core.sparsecheckout # timeout=10
> git.exe checkout -f cecc872074937f981a9c593b931440b320b2ea32 # timeout=10
Commit message: "PS-2315: added thing vars/api/lambda"
> git.exe rev-list --no-walk cecc872074937f981a9c593b931440b320b2ea32 # timeout=10
> git.exe remote # timeout=10
> git.exe submodule init # timeout=10
> git.exe submodule sync # timeout=10
> git.exe config --get remote.origin.url # timeout=10
> git.exe submodule init # timeout=10
> git.exe config -f .gitmodules --get-regexp ^submodule\.(.+)\.url # timeout=10
> git.exe config --get submodule.lambda/messages.url # timeout=10
> git.exe remote # timeout=10
> git.exe config --get remote.origin.url # timeout=10
> git.exe config -f .gitmodules --get submodule.lambda/messages.path # timeout=10
using GIT_ASKPASS to set credentials Bitbucket App password for Jenkins
> git.exe submodule update --init --recursive lambda/messages # timeout=10
hudson.plugins.git.GitException: Command "git.exe submodule update --init --recursive lambda/messages" returned status code 1:
stdout: 
stderr: Cloning into 'C:/Program Files (x86)/Jenkins/workspace/my.repository/lambda/messages'...
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'git@bitbucket.org:myCompany/deco4-messaging.git' into submodule path 'C:/Program Files (x86)/Jenkins/workspace/my.repository/lambda/messages' failed
Failed to clone 'lambda/messages'. Retry scheduled
Cloning into 'C:/Program Files (x86)/Jenkins/workspace/my.repository/lambda/messages'...
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'git@bitbucket.org:myCompany/deco4-messaging.git' into submodule path 'C:/Program Files (x86)/Jenkins/workspace/my.repository/lambda/messages' failed
Failed to clone 'lambda/messages' a second time, aborting
using credential Bitbucket
> git.exe rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
> git.exe config remote.origin.url https://myUser@bitbucket.org/myCompany/deco4-aws.git # timeout=10
Fetching upstream changes from https://myUser@bitbucket.org/myCompany/deco4-aws.git
> git.exe --version # timeout=10
using GIT_ASKPASS to set credentials Bitbucket App password for Jenkins
> git.exe fetch --tags --progress -- https://myUser@bitbucket.org/myCompany/deco4-aws.git +refs/heads/*:refs/remotes/origin/* # timeout=10
> git.exe rev-parse "refs/remotes/origin/master^{commit}" # timeout=10
> git.exe rev-parse "refs/remotes/origin/origin/master^{commit}" # timeout=10
Checking out Revision cecc872074937f981a9c593b931440b320b2ea32 (refs/remotes/origin/master)
> git.exe config core.sparsecheckout # timeout=10
> git.exe checkout -f cecc872074937f981a9c593b931440b320b2ea32 # timeout=10
Commit message: "PS-3176: added more things vars/api/lambda"
> git.exe rev-list --no-walk cecc872074937f981a9c593b931440b320b2ea32 # timeout=10
> git.exe remote # timeout=10
> git.exe submodule init # timeout=10
> git.exe submodule sync # timeout=10
> git.exe config --get remote.origin.url # timeout=10
> git.exe submodule init # timeout=10
> git.exe config -f .gitmodules --get-regexp ^submodule\.(.+)\.url # timeout=10
> git.exe config --get submodule.lambda/messages.url # timeout=10
> git.exe remote # timeout=10
> git.exe config --get remote.origin.url # timeout=10
> git.exe config -f .gitmodules --get submodule.lambda/messages.path # timeout=10
using GIT_ASKPASS to set credentials Bitbucket App password for Jenkins
> git.exe submodule update --init --recursive lambda/messages # timeout=10
hudson.plugins.git.GitException: Command "git.exe submodule update --init --recursive lambda/messages" returned status code 1:
stdout: 
stderr: Cloning into 'C:/Program Files (x86)/Jenkins/workspace/my.repository/lambda/messages'...
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'git@bitbucket.org:myCompany/deco4-messaging.git' into submodule path 'C:/Program Files (x86)/Jenkins/workspace/my.repository/lambda/messages' failed
Failed to clone 'lambda/messages'. Retry scheduled
Cloning into 'C:/Program Files (x86)/Jenkins/workspace/my.repository/lambda/messages'...
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.
fatal: clone of 'git@bitbucket.org:myCompany/deco4-messaging.git' into submodule path 'C:/Program Files (x86)/Jenkins/workspace/my.repository/lambda/messages' failed
Failed to clone 'lambda/messages' a second time, aborting

Jenkins job's SCM configuration...

Running out of ideas on the root cause. Any guidance appreciated.

Answer 1

The sub module was being accessed via SSH while the parent HTTPS.

Sub module...

[submodule "lambda/messages"]
        path = lambda/messages
        url = git@bitbucket.org:myCompany/myRespository.git

Parent repo...

Since I didn't have any SSH keys setup, Jenkins could authenticate when cloning the submodule. And, now the error makes sense:

stderr: Cloning into 'C:/Program Files (x86)/Jenkins/workspace/my.repository/lambda/messages'...
git@bitbucket.org: Permission denied (publickey).
fatal: Could not read from remote repository.

To fix, I reconfigured the sub module in the repository to access it's remote repo via https. The change was made by editing the ./.gitmodules file in the root of the repository.

[submodule "lambda/messages"]
    path = lambda/messages
    url = https://myUser@bitbucket.org/myCompany/myRepository.git

The next build succeeded as desired.

Hope this helps someone!