Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

BUG - Can't authenticate aws-ecr-push-image pipe using OpenID Connect when access key env is set

George Betts
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 24, 2024


Description
The pipe aws-ecr-push-image contains a bug where you cannot authorise using OpenID Connect if you have an env variable set 'AWS_ACCESS_KEY_ID'.

The pipe (https://bitbucket.org/atlassian/aws-ecr-push-image/src/master/) describes two options for Authentication: 

  1. Environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY. Default option.

  2. Assume role provider with OpenID Connect (OIDC). More details in the Bitbucket Pipelines Using OpenID Connect guide Integrating aws bitbucket pipeline with oidc. Make sure that you set up OIDC before:

    • configure Bitbucket Pipelines as a Web Identity Provider in AWS
    • attach to provider your AWS role with required policies in AWS
    • set up a build step with oidc: true in your Bitbucket Pipelines
    • pass AWS_OIDC_ROLE_ARN (*) variable that represents role having appropriate permissions to execute actions on AWS ECR resources

I have two AWS accounts, one of which I already have set up and is authorising with option 1. The other I'm setting up to use option 2.

You cannot use this second option if there is a AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY env variables present.

With a pipeline setup as instructed to use 'oidc: true' in the step to use OIDC authentication, such as this example:

image:
name: $AWS_ECR_URL/example-image:latest
aws:
oidc-role: $V2_AWS_OIDC_ROLE
oidc: true
script:
- docker build --tag example-image:latest .
- pipe: atlassian/aws-ecr-push-image:1.5.0
variables:
AWS_OIDC_ROLE_ARN: $OIDC_ROLE_ARN
IMAGE_NAME: example-image
TAGS: latest

The output will show that this pipe is still using option 1 for authentication, the reason is because I have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as workspace variables.

Example output:


INFO: Using default authentication with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

When then errors because these are the credentials for the wrong account, the AWS_ACCESS_KEY_ID is valid for the account it's trying to locate the repository on:

INFO: {'errorDetail': {'message': "name unknown: The repository with name 'example-image' does not exist in the registry with id '$AWS_ACCOUNT_ID'"}


It should not be authenticating this account with the AWS_ACCESS_KEY_ID, instead it should be authenticating the other account (where the repository exists) using the OpenID Connect method, since I have the 'oidc: true' option set.

Version of the pipe
1.5.0

Steps to reproduce
- Create an AWS ECR repository on one AWS account (account 1)
- Create an AWS ECR repository on another AWS account (account 2)
- Add the access key details for account 1 to workspace variables
- For account 2 set up as per https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/
- Create a pipeline which uses the aws-ecr-push-image pipe with the 'oidc: true' option to authenticate using OpenID Connect
- The pipeline will authenticate to Account 1 using the workspace variables AWS_ACCESS_KEY_ID, and therefore pushing the image in this pipeline will fail as it should be pushing to account 2, using the oidc authentication.

1 answer

1 accepted

2 votes
Answer accepted
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 24, 2024

@George Betts hi. Thanks for your feedback.

First please update to the latest version of the pipe.

Next i doubt the problem is with environment variables present. I.e this test passed, despite the fact `AWS_ACCESS_KEY_ID` present in the repository (unfortunately you cannot see it.)

I guess the problem is the value of your $OIDC_ROLE_ARN, 
the python value which return False,  i.e. empty string.

Because if you use oidc you should see this message

Authenticating with a OpenID Connect (OIDC) Web Identity Provider
or at least this:
Parameter "oidc: true" in the step configuration is required for OIDC authentication

But seems like condition is not met.

Please, check your $OIDC_ROLE_ARN variable.

Regards, Igor
George Betts
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
May 24, 2024

Hi Igor, this worked! Thank you, I'm not sure why I thought that 1.5.0 was the latest version, but I've now updated to 2.4.0 and fixed a spelling error I have in my OIDC_ROLE_ARN workspace variable!

Thank you

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events