Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Failing to use OIDC within a bitbucket pipeline within a script

rupert160 January 30, 2024

Following https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect I've been able to setup a pipeline with a `bitbucket-pipelines.yml` statement:

pipelines:
default:
- parallel:
- step:
name: Build and Test
deployment: Test
image:
name: 242011367797.dkr.ecr.ap-southeast-2.amazonaws.com/datallama/bitbucket_pipeline:0.3
aws:
oidc-role: arn:aws:iam::242011367797:role/dl_ecr_admin
oidc: true
script:
- export AWS_REGION=ap-southeast-2
- ./containers.sh --pipeline --container-engine docker --version $BITBUCKET_BUILD_NUMBER
#- pipe: atlassian/aws-ecr-push-image:2.3.0
# variables:
# IMAGE_NAME: 242011367797.dkr.ecr.ap-southeast-2.amazonaws.com/datallama/test/dlmvp_658/mytest2:${BITBUCKET_BUILD_NUMBER}

The setup has permitted me to pull the image from the ecr private repository, however I have failed to use the `aws ecr describe-repositories` or `docker login` with this credential witin the script file `containers.sh` - the former hits the following error:

aws ecr describe-repositories --region ap-southeast-2 --repository-names 242011367797.dkr.ecr.ap-southeast-2.amazonaws.com/datallama/test/dlmvp_658/mytest2
An error occurred (UnrecognizedClientException) when calling 
the DescribeRepositories operation:
The security token included in the request is invalid.'

I'm baffled because the role is visible as I've proven credentials are pushed into the session with is visible with

+ aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************TUMK env
secret_key ****************dQo= env
ap-southeast-2 env ['AWS_REGION', 'AWS_DEFAULT_REGION']

and the role includes the following permissions:

AmazonEC2ContainerRegistryFullAccess

AmazonElasticContainerRegistryPublicFullAccess

*note* hopefully irrelevant, but I am using custom containers so that I had the most recent awscli and git binaries

# aws --version && git --version
aws-cli/2.15.15 Python/3.11.6 Linux/6.6.13-200.fc39prompt/off
git version 2.29.0

built with the following docker file:

FROM atlassian/default-image
RUN apt remove --yes git
RUN add-apt-repository --yes ppa:git-core/ppa
RUN apt update --yes
RUN apt install --yes git
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"
-o "/tmp/awscliv2.zip" \
&& unzip -d /tmp/ /tmp/awscliv2.zip \
&& /tmp/aws/install \
&& rm -rf /tmp/{aws,awscliv2.zip}

Ideas?

2 answers

1 vote
rupert160 February 4, 2024

Thanks for your suggestion, you're indeed right, there's also another part, after reading this post: https://stackoverflow.com/questions/72401495/error-using-oidc-with-atlassian-bitbucket-and-aws

I discovered I needed to do the following to set the OIDC tokens into the session:

      - export AWS_REGION=$AWS_REGION
      - export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
      - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
      - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
      - aws configure set web_identity_token_file ${AWS_WEB_IDENTITY_TOKEN_FILE}
      - aws configure set role_arn ${AWS_ROLE_ARN}
      - unset AWS_ACCESS_KEY_ID
      - unset AWS_SECRET_ACCESS_KEY

 

1 vote
Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 2, 2024

Hi @rupert160,

Thank you for reaching out to the community.

Would it be possible for you to check if you have the two AWS credential variables present in your Pipelines build?

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_AcommaCCESS_KEY

If yes, could you try to unset those variables or remove them?
To unset those variables:

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_AcommaCCESS_KEY

This is to ensure that the OIDC token is the one being used and not the key/secret when you run AWS CLI commands in the bash script.

You can check this relevant knowledge-based article for the same: Pipelines gives an error - "An error occurred (AccessDeniedException) when calling the operation" despite providing authorization via OIDC or "aws configure set"

Let me know how it goes.

Regards,
Mark C

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events