Game Development

Access Rights for Unity Cloud Build

I recently set up Unity Cloud Build so I could take it for a test drive, and while I was walking through the setup instructions, I came across a bit that was really concerning:

Danger, Will Robinson
Adding Unity SSH key to GitHub account

Please, please, please don’t do this. Adding an SSH key to your account like this is essentially giving the Unity Cloud Build tool unlimited read/write access to all of your repositories; you are in effect saying, “Unity Cloud Build can access all of my repos as if it were me.” Even if you trust Unity not to misuse this ability (most likely a safe bet, but not one I want to take), there is still the possibility of potentially destructive code errors or the possibility that Unity’s servers are compromised and attackers gain access to an SSH key that has read/write access to your code. Even if these scenarios are unlikely, the fact that they could happen should be enough to give you pause.

Fortunately, there’s a better way, at least for GitHub (I’m not familiar with BitBucket, but hopefully they have similar functionality): read-only deploy keys. From the introductory article:

They are often used to clone repositories during deploys or continuous integration runs.

That’s the exact scenario we’re setting up with the Cloud Build tool, so just drop the Unity-provided SSH key in as a deploy key on your game repo, and you’re done. Unity Cloud Build now has read-only access to that specific repository, your cloud builds work great, and you can sleep a little better at night. If you have lots of repos running through Cloud Build, the help docs have information about creating a machine user to manage that specific case, or you can just set up deploy keys for the lot of them. Problem solved.