Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Using different aws credentials in pipeline

oguzhan
oguzhan January 5, 2021

Hi, I've a bitbucket pipeline that must have multiple aws credentials for different duties.

In the first lines, I have custom ECR image. To pull it, I created an AWS user for only ECR read only permissions. access-key and secret-key parameters are the keys of that user.

And in this ECR image, I embedded another AWS user's credentials to do the rest of the work (image push etc). But somehow, the credentials that I used for pulling base image running in steps too. Because of this situation, image push is being denied.  

Is the credentials for base image pull being applied pipeline-wide?

And how can I overcome with this situation?

Thank you. 

image: 
name: <ECR Image>
  aws:  
    access-key: $AWS_ACCESS_KEY_ID 
    secret-key: $AWS_SECRET_ACCESS_KEY

pipelines:   
  - step: 
      name: "Image Build & Push" 
      services: 
        -docker 
        script: 
         - export ENVIRONMENT=beta 
         - echo "Environment is ${ENVIRONMENT}" 
         - export DOCKER_IMAGE_BUILDER="${BITBUCKET_REPO_SLUG}:builder" 
         - make clean 
         - make build BUILD_VER=${BITBUCKET_TAG}.${BITBUCKET_BUILD_NUMBER} \  APP_NAME=${BITBUCKET_REPO_SLUG} \ 
    DOCKER_IMAGE_BUILDER=${DOCKER_IMAGE_BUILDER} 
         - make test
         - docker tag ....
         - docker push .....

 

Answer
Watch
Like Be the first to like this
2152 views

1 answer

0 votes
Halyna Berezovska
Halyna Berezovska
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 28, 2021

@oguzhansuch syntax you provide in the beginning of the pipeline is indeed pipeline-wide.

But in each step it should be overridden. This is the question how you configure environment variables specifically for push step.

You also if not succeed, can do some workarounds and use aws configure with different variables nasmes (e.g. AWS_ACCESS_KE_ID_PUSH), BUT I have better solution that should match your case.

 

We have such feature in bitbucket repos as Deployments where you can setup environment, for example, call it your "beta" and put there variables Specifically for your push.

There can be aws access key pair and other variables you need. Deployments variables will override your piepline-wide variables for such deployment specifically, and not touch other steps.

 See the documentation https://support.atlassian.com/bitbucket-cloud/docs/set-up-and-monitor-bitbucket-deployments/

Basically, your pipeline after deployment's setup in the separate bitbucket settings, would look like:

  - step: 
      name: "Image Build & Push"
      deployment: beta
      services: 
        -docker
      script:
        - ....

And in beta deployment you will set AWS_ACCESS_KEY_ID and secret for push user

I guess this solution is much more cleaner and you could use it in the future for even more cases .

Regards, Galyna

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events