Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Issue with Bitbucket Pipelines and OIDC

Mario Peña
Mario Peña
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
October 13, 2025

Has anyone run into issues using OpenID Connect with Bitbucket Pipelines when trying to separate Terraform stages and keep the plan automatic but the apply manual?

Current Situation

I have a Bitbucket pipeline set up to perform a deploy on Google Cloud using Terraform. This pipeline has two environments: development and staging.

The Terraform execution is quite simple, as it only handles the creation of a Pub/Sub topic.

To authenticate in each environment, I’m using OpenID Connect together with Workload Identity Federation (GCP), which allows me to impersonate a service account with the necessary permissions.

Problem

The issue arises when performing the deploy using OpenID Connect, since I need to separate the pipeline execution into stages, as each one has its own Deployment Environment UUID for OpenID Connect.

I understand that a best practice is for the terraform plan step to run automatically, while the terraform apply step should be executed manually.

The problem is that Bitbucket does not allow configuring a manual step within a stage, which prevents implementing this workflow correctly.

Example

Below is an example of my bitbucket-pipelines.yml file, which does not work due to the restriction mentioned above:

 

image: [image with terraform and gcloud installed]

definitions:
steps:
- step: &terraform-init-and-plan
name: 'Terraform init and plan'
oidc: true
script:
- echo "$BITBUCKET_STEP_OIDC_TOKEN" > /tmp/oidc-token.txt
- echo "$GCLOUD_API_KEYFILE" | base64 -d > ./gcloud-api-key.json
- export GOOGLE_APPLICATION_CREDENTIALS=`pwd`/gcloud-api-key.json
- gcloud auth login --cred-file=./gcloud-api-key.json
- gcloud config set project ${PROJECT_ID}
- terraform init -input=false -no-color
- terraform validate 
- terraform plan -var="project_id=${PROJECT_ID}" -var="project_number=${PROJECT_NUMBER}" -input=false -compact-warnings -out=plan.file
artifacts: 
- plan.file
- step: &terraform-apply
name: 'Terraform Apply'
oidc: true
trigger: manual
script:
- echo "$BITBUCKET_STEP_OIDC_TOKEN" > /tmp/oidc-token.txt
- echo "$GCLOUD_API_KEYFILE" | base64 -d > ./gcloud-api-key.json
- export GOOGLE_APPLICATION_CREDENTIALS=`pwd`/gcloud-api-key.json
- gcloud auth login --cred-file=./gcloud-api-key.json
- gcloud config set project ${PROJECT_ID}
- terraform init -input=false -no-color
- terraform apply -var="project_id=${PROJECT_ID}" -var="project_number=${PROJECT_NUMBER}" -input=false -no-color -compact-warnings -auto-approve plan.file

pipelines:
default:
- stage:
name: 'Terraform Dev'
deployment: test
steps:
- step: *terraform-init-and-plan
- step: *terraform-apply
- stage:
name: 'Terraform Prod'
deployment: production
trigger: manual
steps:
- step: *terraform-init-and-plan
- step: *terraform-apply

 

Answer
Watch
Like Be the first to like this
24 views

0 answers

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin Site Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security