Hello
I Created on aws this policy below,
To run the pipelines .
But the Ip condition list causing it to fail, in my case to s3 sync operation .
I've used the list from https://confluence.atlassian.com/bitbucket/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall-343343385.html
Any Ideas why?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"34.199.54.113/32",
"34.232.25.90/32",
"34.232.119.183/32",
"34.236.25.177/32",
"35.171.175.212/32",
"52.54.90.98/32",
"52.202.195.162/32",
"52.203.14.55/32",
"52.204.96.37/32",
"34.218.156.209/32",
"34.218.168.212/32",
"52.41.219.63/32",
"35.155.178.254/32",
"35.160.177.10/32",
"34.216.18.129/32",
"18.205.93.0/25",
"18.234.32.128/25",
"13.52.5.0/25"
]
}
}
}
]
}
The reason it’s not working, according to AWS support, is that there are internal ip’s between services, such as s3. Ip condition over the IAM user will not be enough.
The solution is to use role which can be assume by IAM user with single permission, assume that new role.
The Trust section of the role will have only the bitbucket ips.
https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/
Integrate to pipeline can be use assume in boto3 or with :
Diogo Zedan answer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.