Description
The pipe aws-ecr-push-image contains a bug where you cannot authorise using OpenID Connect if you have an env variable set 'AWS_ACCESS_KEY_ID'.
The pipe (https://bitbucket.org/atlassian/aws-ecr-push-image/src/master/) describes two options for Authentication:
Environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Default option.
Assume role provider with OpenID Connect (OIDC). More details in the Bitbucket Pipelines Using OpenID Connect guide Integrating aws bitbucket pipeline with oidc. Make sure that you set up OIDC before:
oidc: true
in your Bitbucket PipelinesI have two AWS accounts, one of which I already have set up and is authorising with option 1. The other I'm setting up to use option 2.
You cannot use this second option if there is a AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env variables present.
With a pipeline setup as instructed to use 'oidc: true' in the step to use OIDC authentication, such as this example:
image:
name: $AWS_ECR_URL/example-image:latest
aws:
oidc-role: $V2_AWS_OIDC_ROLE
oidc: true
script:
- docker build --tag example-image:latest .
- pipe: atlassian/aws-ecr-push-image:1.5.0
variables:
AWS_OIDC_ROLE_ARN: $OIDC_ROLE_ARN
IMAGE_NAME: example-image
TAGS: latest
The output will show that this pipe is still using option 1 for authentication, the reason is because I have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as workspace variables.
Example output:
INFO: Using default authentication with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
When then errors because these are the credentials for the wrong account, the AWS_ACCESS_KEY_ID is valid for the account it's trying to locate the repository on:
INFO: {'errorDetail': {'message': "name unknown: The repository with name 'example-image' does not exist in the registry with id '$AWS_ACCOUNT_ID'"}
It should not be authenticating this account with the AWS_ACCESS_KEY_ID, instead it should be authenticating the other account (where the repository exists) using the OpenID Connect method, since I have the 'oidc: true' option set.
Version of the pipe
1.5.0
Steps to reproduce
- Create an AWS ECR repository on one AWS account (account 1)
- Create an AWS ECR repository on another AWS account (account 2)
- Add the access key details for account 1 to workspace variables
- For account 2 set up as per https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/
- Create a pipeline which uses the aws-ecr-push-image pipe with the 'oidc: true' option to authenticate using OpenID Connect
- The pipeline will authenticate to Account 1 using the workspace variables AWS_ACCESS_KEY_ID, and therefore pushing the image in this pipeline will fail as it should be pushing to account 2, using the oidc authentication.
@George Betts hi. Thanks for your feedback.
First please update to the latest version of the pipe.
Next i doubt the problem is with environment variables present. I.e this test passed, despite the fact `AWS_ACCESS_KEY_ID` present in the repository (unfortunately you cannot see it.)
I guess the problem is the value of your $OIDC_ROLE_ARN, the python value which return False, i.e. empty string.
Because if you use oidc you should see this message:
Hi Igor, this worked! Thank you, I'm not sure why I thought that 1.5.0 was the latest version, but I've now updated to 2.4.0 and fixed a spelling error I have in my OIDC_ROLE_ARN workspace variable!
Thank you
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.