To manage my libraries I use Composer, so I set the dependencies in composer.json and then add (ever in composer.json) the remote addresses of the private repositories where the code resides.

When running composer update/install I'm prompted with a request for the access keys to those private repository.

Now, I'm trying to deploy a Symfony 2 app to Heroku.

The problem arises when Heroku tries to download the packages from my private repositories: how can I provide to Heroku access to those repositories?

Here is a sample composer.json configuration:

"require": {
    "my/private-package": "~1.0",
},
"repositories": [
    {
        "type": "git",
        "url": "https://Aerendir@bitbucket.org/Aerendir/private-package"
    }
]

This configuration is explained in the Composer Documentation (it works also without Satis, except for the "problem" with Heroku :) - or other cloud hosting I think).

There, about athentication, is explained:

Note that if your private packages are hosted on GitHub, your server should have an ssh key that gives it access to those packages, and then you should add the --no-interaction (or -n) flag to the command to make sure it falls back to ssh key authentication instead of prompting for a password. This is also a good trick for continuous integration servers.

Now, the questions are 2:

1. BitBucket has deployment keys but I can also set a SSH key.
2. What about Heroku SSH keys?

So, how can i give to Heroku access to my private repositories on BitBucket? How can I download private repositories hosted on BitBucket from the composer install command that Heroku does on deploying?

The correct answer is using COMPOSER_AUTH as an environment variable set directly in Heroku dashboard.

The value of the variable should be something like this:

{
   "http-basic":{
      "bitbucket.org":{
         "username":"hello@aerendir.me",
         "password":"y0UrH4rdT0Gu3sSp4SsW0rd"
      }
   }
}

If set, Composer will read it and use its value to connect to BitBucket.

This is the correct approach as it is secure and doesn't force you to make your passwords going around in the web through the various services you use (or will use) to build and deploy your app.

References:

COMPOSER_AUTH

Resolved/circumvented this limitation of Heroku of using Composer to install dependencies in private BitBucket repositories by:

changing:

git@bitbucket.org:username/repository.git

in my composer.json to:

https://bitbucket.org/username/repository.git

When running composer update --no-dev, Composer will ask you for the username / password combination to authenticate. Next Composer will offer you to save these credentials in /Users/username/.composer/auth.json, also see: https://getcomposer.org/doc/articles/http-basic-authentication.md

Choose "Y" to have that file created.

Now copy the created auth.json to your project folder. Use git to add, commit and push it to Heroku.

This worked for me, unfortunately the auth.json stores your password in plain text, so for me it is not an ideal solution...

Somebody from Heroku monitoring this issue? When using http://www.CloudControl.com one can inspect the details of an application, which includes a public key. Add that to BitBucket and it works. Either that or have Composer properly use the public keys one can add to Heroku...

UPDATE: directly in composer.json

Another option is to (simply) include a section in the composer.json file which is used by Heroku to install the dependencies.

"bitbucket-oauth": {
  "bitbucket.org": {
    "consumer-key": "key-goes-here",
    "consumer-secret": "secret-goes-here"
  }
}

Also see

https://getcomposer.org/doc/06-config.md#bitbucket-oauth

to make https works with composer

1. you should create auth token in bitbucket.
2. run composer config -g github-oauth.github.com token

or

add server ssh key to bitbucket

and change https://bitbucket.com/organisation/reponame.git

to

git@bitbucket.com:organisation/reponame.git

hope it helps