Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Failing to use OIDC within a bitbucket pipeline within a script

rupert160
rupert160 January 30, 2024

Following https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect I've been able to setup a pipeline with a `bitbucket-pipelines.yml` statement:

pipelines:
  default:
    - parallel:
      - step:
        name: Build and Test
        deployment: Test
        image:
          name: 242011367797.dkr.ecr.ap-southeast-2.amazonaws.com/datallama/bitbucket_pipeline:0.3
          aws:
            oidc-role: arn:aws:iam::242011367797:role/dl_ecr_admin
        oidc: true
        script:
          - export AWS_REGION=ap-southeast-2
          - ./containers.sh --pipeline --container-engine docker --version $BITBUCKET_BUILD_NUMBER
          #- pipe: atlassian/aws-ecr-push-image:2.3.0
          #  variables:
          #    IMAGE_NAME: 242011367797.dkr.ecr.ap-southeast-2.amazonaws.com/datallama/test/dlmvp_658/mytest2:${BITBUCKET_BUILD_NUMBER}

The setup has permitted me to pull the image from the ecr private repository, however I have failed to use the `aws ecr describe-repositories` or `docker login` with this credential witin the script file `containers.sh` - the former hits the following error:

aws ecr describe-repositories --region ap-southeast-2 --repository-names 242011367797.dkr.ecr.ap-southeast-2.amazonaws.com/datallama/test/dlmvp_658/mytest2
An error occurred (UnrecognizedClientException) when calling 
the DescribeRepositories operation: 
The security token included in the request is invalid.'

I'm baffled because the role is visible as I've proven credentials are pushed into the session with is visible with

+ aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************TUMK env
secret_key ****************dQo= env
ap-southeast-2 env ['AWS_REGION', 'AWS_DEFAULT_REGION']

and the role includes the following permissions:

AmazonEC2ContainerRegistryFullAccess

AmazonElasticContainerRegistryPublicFullAccess

*note* hopefully irrelevant, but I am using custom containers so that I had the most recent awscli and git binaries 

# aws --version && git --version
aws-cli/2.15.15 Python/3.11.6 Linux/6.6.13-200.fc39prompt/off
git version 2.29.0

built with the following docker file:

FROM atlassian/default-image
RUN apt remove --yes git
RUN add-apt-repository --yes ppa:git-core/ppa
RUN apt update --yes
RUN apt install --yes git
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "/tmp/awscliv2.zip" \
&& unzip -d /tmp/ /tmp/awscliv2.zip \
&& /tmp/aws/install \
&& rm -rf /tmp/{aws,awscliv2.zip}

Ideas?

Answer
Watch
Like # people like this
772 views

2 answers

1 vote
rupert160
rupert160 February 4, 2024

Thanks for your suggestion, you're indeed right, there's also another part, after reading this post: https://stackoverflow.com/questions/72401495/error-using-oidc-with-atlassian-bitbucket-and-aws

I discovered I needed to do the following to set the OIDC tokens into the session:

      - export AWS_REGION=$AWS_REGION
      - export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
      - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
      - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
      - aws configure set web_identity_token_file ${AWS_WEB_IDENTITY_TOKEN_FILE}
      - aws configure set role_arn ${AWS_ROLE_ARN}
      - unset AWS_ACCESS_KEY_ID
      - unset AWS_SECRET_ACCESS_KEY

 

Reply
1 vote
Mark C
Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 2, 2024

Hi @rupert160,

Thank you for reaching out to the community.

Would it be possible for you to check if you have the two AWS credential variables present in your Pipelines build?

  • AWS_ACCESS_KEY_ID
  • AWS_SECRET_AcommaCCESS_KEY

If yes, could you try to unset those variables or remove them?
To unset those variables:

unset AWS_ACCESS_KEY_ID
unset AWS_SECRET_AcommaCCESS_KEY

This is to ensure that the OIDC token is the one being used and not the key/secret when you run AWS CLI commands in the bash script.

You can check this relevant knowledge-based article for the same: Pipelines gives an error - "An error occurred (AccessDeniedException) when calling the operation" despite providing authorization via OIDC or "aws configure set"

Let me know how it goes.

Regards,
Mark C

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.