Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
Level
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

aws-cloudformation-deploy does not work with Role_ARN / cross account

Hi,

Using the pipe with ROLE_ARN does not seem to work when using 2 different accounts.

- pipe: atlassian/aws-cloudformation-deploy:0.10.0
variables:
STACK_NAME: $SERVICE-$BITBUCKET_DEPLOYMENT_ENVIRONMENT
ROLE_ARN: arn:aws:iam::$AWS_ACCOUNT_ID:role/Deployment
AWS_ACCESS_KEY_ID: $AWS_ACCESS_KEY_ID_V2
AWS_SECRET_ACCESS_KEY: $AWS_SECRET_ACCESS_KEY_V2

The AWS_ACCESS_KEY_ID_V2 & AWS_SECRET_ACCESS_KEY_V2 are credentials of a IAM User that is defined in Account A but can assume the Deployment Role in account B where the deployment needs to happen. However this does not work.

Error below for the stack being deployed first time in Account B.

Status: Downloaded newer image for bitbucketpipelines/aws-cloudformation-deploy:0.10.0INFO: 
Using default authentication with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.
INFO: Found credentials in environment variables.INFO:
Using stack template from template.yml for deploy.
INFO: Validating the template.INFO: Updating the stack for notebook-dev.ERROR:
Failed to get information about stack notebook-dev.
An error occurred (ValidationError) when calling the DescribeStacks operation: Stack with id notebook-dev does not exist
Failed to update the stack.
An error occurred (AccessDenied) when calling the UpdateStack operation: Cross-account pass role is not allowed.

It could be possible that the AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY variables are not being used properly as the default environment variables in Bitbucket environment is for another account C where user cannot assume role.

The following configuration works without using the pipe -

- export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID_V2
- export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY_V2
- aws s3 cp s3://$GROUP_V2/deploymentArchives/$SERVICE/$BITBUCKET_BUILD_NUMBER/template.yml .
- eval $(aws sts assume-role --role-arn arn:aws:iam::$AWS_ACCOUNT_ID:role/Deployment --role-session-name Bitbucket | jq -r '.Credentials | "export AWS_ACCESS_KEY_ID=\(.AccessKeyId)\nexport AWS_SECRET_ACCESS_KEY=\(.SecretAccessKey)\nexport AWS_SESSION_TOKEN=\(.SessionToken)\n"')
- >
aws cloudformation deploy \
--stack-name $SERVICE-$BITBUCKET_DEPLOYMENT_ENVIRONMENT \
--template-file template.yml \
--capabilities CAPABILITY_NAMED_IAM CAPABILITY_IAM CAPABILITY_AUTO_EXPAND \
--parameter-overrides \
AppId=$SERVICE \
BuildNumber=$BITBUCKET_BUILD_NUMBER \
Environment=$BITBUCKET_DEPLOYMENT_ENVIRONMENT \
Group=$GROUP_V2 \
--tags \
AppID=$SERVICE \
BuildNumber=$BITBUCKET_BUILD_NUMBER \
Environment=$BITBUCKET_DEPLOYMENT_ENVIRONMENT \
Branch=$BITBUCKET_BRANCH \
Name=$SERVICE-$BITBUCKET_DEPLOYMENT_ENVIRONMENT \
Project=$GROUP_V2 \
Immutable=True

 

Expected behavior should be like this pipe where a similar configuration works.

https://bitbucket.org/sightsoundtheatres/aws-cdk-deploy/src/master/

 

1 answer

0 votes

Hi @Rahul Arora

Thank you for your question!

It could be a good case for the new feature OpenID Connect provided by Bitbucket Pipelines:

Deploy a new version of your CloudFormation stack with OpenID Connect (OIDC) alternative authentication without required AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY.

Parameter oidc: true in the step configuration and variable AWS_OIDC_ROLE_ARN are required:

- step:
    oidc: true
    script:
      - pipe: atlassian/aws-cloudformation-deploy:0.10.0
        variables:
          AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
          AWS_OIDC_ROLE_ARN: 'arn:aws:iam::123456789012:role/role_name'
          STACK_NAME: 'my-stack-name'
          TEMPLATE: 'stack_template.json'

 

Cheers,
Oleksandr Kyrdan

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Jira Service Management

ThinkTilt is joining the Atlassian Family!

This morning, Atlassian announced the acquisition of ThinkTilt , the maker of ProForma, a no-code/low code form builder with 700+ customers worldwide. ThinkTilt helps IT empower any team in their or...

129 views 5 8
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you