Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Using different aws credentials in pipeline

Edited

Hi, I've a bitbucket pipeline that must have multiple aws credentials for different duties.

In the first lines, I have custom ECR image. To pull it, I created an AWS user for only ECR read only permissions. access-key and secret-key parameters are the keys of that user.

And in this ECR image, I embedded another AWS user's credentials to do the rest of the work (image push etc). But somehow, the credentials that I used for pulling base image running in steps too. Because of this situation, image push is being denied.  

Is the credentials for base image pull being applied pipeline-wide?

And how can I overcome with this situation?

Thank you. 

image: 
name: <ECR Image>
aws:
access-key: $AWS_ACCESS_KEY_ID
secret-key: $AWS_SECRET_ACCESS_KEY

pipelines:
- step
:
name: "Image Build & Push"
services:
    -docker
script:
- export ENVIRONMENT=beta
- echo "Environment is ${ENVIRONMENT}"
- export DOCKER_IMAGE_BUILDER="${BITBUCKET_REPO_SLUG}:builder"
- make clean
- make build BUILD_VER=${BITBUCKET_TAG}.${BITBUCKET_BUILD_NUMBER} \ APP_NAME=${BITBUCKET_REPO_SLUG} \
DOCKER_IMAGE_BUILDER=${DOCKER_IMAGE_BUILDER}
- make test
- docker tag ....
- docker push .....

 

1 answer

@oguzhansuch syntax you provide in the beginning of the pipeline is indeed pipeline-wide.

But in each step it should be overridden. This is the question how you configure environment variables specifically for push step.

You also if not succeed, can do some workarounds and use aws configure with different variables nasmes (e.g. AWS_ACCESS_KE_ID_PUSH), BUT I have better solution that should match your case.

 

We have such feature in bitbucket repos as Deployments where you can setup environment, for example, call it your "beta" and put there variables Specifically for your push.

There can be aws access key pair and other variables you need. Deployments variables will override your piepline-wide variables for such deployment specifically, and not touch other steps.

 See the documentation https://support.atlassian.com/bitbucket-cloud/docs/set-up-and-monitor-bitbucket-deployments/

Basically, your pipeline after deployment's setup in the separate bitbucket settings, would look like:

  - step: 
name: "Image Build & Push"
deployment: beta
services:
    -docker
script:
- ....

And in beta deployment you will set AWS_ACCESS_KEY_ID and secret for push user

I guess this solution is much more cleaner and you could use it in the future for even more cases .

Regards, Galyna

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Apps & Integrations

🍻🍂Apptoberfest Update: Upcoming Virtual Events 🎉

Hello Community! I hope you've been enjoying the 🍂Apptoberfestivities🍂 (I know I have!) The event is heating up next week with a series of virtual events that we're calling the 🍻🍂Partner App ...

160 views 2 14
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you