Following https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect I've been able to setup a pipeline with a `bitbucket-pipelines.yml` statement:
pipelines:
default:
- parallel:
- step:
name: Build and Test
deployment: Test
image:
name: 242011367797.dkr.ecr.ap-southeast-2.amazonaws.com/datallama/bitbucket_pipeline:0.3
aws:
oidc-role: arn:aws:iam::242011367797:role/dl_ecr_admin
oidc: true
script:
- export AWS_REGION=ap-southeast-2
- ./containers.sh --pipeline --container-engine docker --version $BITBUCKET_BUILD_NUMBER
#- pipe: atlassian/aws-ecr-push-image:2.3.0
# variables:
# IMAGE_NAME: 242011367797.dkr.ecr.ap-southeast-2.amazonaws.com/datallama/test/dlmvp_658/mytest2:${BITBUCKET_BUILD_NUMBER}
The setup has permitted me to pull the image from the ecr private repository, however I have failed to use the `aws ecr describe-repositories` or `docker login` with this credential witin the script file `containers.sh` - the former hits the following error:
aws ecr describe-repositories --region ap-southeast-2 --repository-names 242011367797.dkr.ecr.ap-southeast-2.amazonaws.com/datallama/test/dlmvp_658/mytest2
An error occurred (UnrecognizedClientException) when calling
the DescribeRepositories operation:
The security token included in the request is invalid.'
I'm baffled because the role is visible as I've proven credentials are pushed into the session with is visible with
+ aws configure list
Name Value Type Location
---- ----- ---- --------
profile <not set> None None
access_key ****************TUMK env
secret_key ****************dQo= env
ap-southeast-2 env ['AWS_REGION', 'AWS_DEFAULT_REGION']
and the role includes the following permissions:
AmazonEC2ContainerRegistryFullAccess
AmazonElasticContainerRegistryPublicFullAccess
*note* hopefully irrelevant, but I am using custom containers so that I had the most recent awscli and git binaries
# aws --version && git --version
aws-cli/2.15.15 Python/3.11.6 Linux/6.6.13-200.fc39prompt/off
git version 2.29.0
built with the following docker file:
FROM atlassian/default-image
RUN apt remove --yes git
RUN add-apt-repository --yes ppa:git-core/ppa
RUN apt update --yes
RUN apt install --yes git
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "/tmp/awscliv2.zip" \
&& unzip -d /tmp/ /tmp/awscliv2.zip \
&& /tmp/aws/install \
&& rm -rf /tmp/{aws,awscliv2.zip}
Ideas?
Thanks for your suggestion, you're indeed right, there's also another part, after reading this post: https://stackoverflow.com/questions/72401495/error-using-oidc-with-atlassian-bitbucket-and-aws
I discovered I needed to do the following to set the OIDC tokens into the session:
- export AWS_REGION=$AWS_REGION
- export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws configure set web_identity_token_file ${AWS_WEB_IDENTITY_TOKEN_FILE}
- aws configure set role_arn ${AWS_ROLE_ARN}
- unset AWS_ACCESS_KEY_ID
- unset AWS_SECRET_ACCESS_KEY
Hi @rupert160,
Thank you for reaching out to the community.
Would it be possible for you to check if you have the two AWS credential variables present in your Pipelines build?
If yes, could you try to unset those variables or remove them?
To unset those variables:
unset AWS_ACCESS_KEY_ID unset AWS_SECRET_AcommaCCESS_KEY
This is to ensure that the OIDC token is the one being used and not the key/secret when you run AWS CLI commands in the bash script.
You can check this relevant knowledge-based article for the same: Pipelines gives an error - "An error occurred (AccessDeniedException) when calling the operation" despite providing authorization via OIDC or "aws configure set"
Let me know how it goes.
Regards,
Mark C
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Online forums and learning are now in one easy-to-use experience.
By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.