BitBucket Pipelines - AWS Assume roles

Tri Tran August 14, 2019

What I need:

I'm using BitBucket Pipelines to run my build and deployment tasks targeted for AWS Lambda functions. Our AWS configuration requires that the AWS CLI commands run under an assumed role which will target a different AWS account - one for each environment (e.g. Test, Staging, Production, etc).

 

What I've tried:

  • I tried to update the ~/.aws/credentials during a pipeline step (this was what is required during local builds) but the file seems not accessible (no access to /root?)
  • I tried to configure the `AWS_SHARED_CREDENTIALS_FILE` env to point to a local `aws_credentials` file but that didn't work.

 

Any ideas?

1 answer

1 vote
ccorrigacscf August 21, 2019

The aws cli assume role (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html) is easiest to use through the aws config files,  alternative being to do aws sts assume-role, which doesn't easily work with bitbucket.

I'd applied this with the following ugly hack,

set up the following environment variables, adjust <values> to suit your needs:

AWS_PROFILE=bitbot
AWS_CONFIG_FILE=/tmp/.awsconfig

AWS_SHARED_CREDENTIALS_FILE=/tmp/.awscreds

AWS_CONFIG_CONTENT=[default]\nregion = <Organization-region>\n[profile bitbot]\nregion = <assumed-builder-role-region>

AWS_CREDS_CONTENT=[default]\naws_access_key_id = <Organization-user-key-id>\naws_secret_access_key = <Organization-user-secret-token>\n[bitbot]\nrole_arn = arn:aws:iam::<Organization-AWS-A/C-No.>:role/<assumed-builder-role>\nsource_profile = default

and made sure AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are NOT set

 

Then in the bitbucket pipeline, inject the aws config file content :

script:

   - echo -e $AWS_CONFIG_CONTENT > $AWS_CONFIG_FILE

   - echo -e $AWS_CREDS_CONTENT > $AWS_SHARED_CREDENTIALS_FILE

   - eval $(aws ecr get-login --no-include-email)

   ......

Diogo Zedan March 12, 2020

Hi, in my case, what helped was to define the commands using the awscli configure tool, setting the profile and assuming the role afterwards.

- TAG=${BITBUCKET_BRANCH:-$BITBUCKET_TAG}

- yum install -y python3-pip

- pip3 install awscli

- aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID

- aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY

- aws configure set region $AWS_REGION --profile sandbox

- aws configure set profile.sandbox.role_arn "${ROLE_ARN}"

- aws configure set profile.sandbox.source_profile default

- eval $(aws ecr get-login --no-include-email --region ${AWS_REGION} --profile sandbox | sed 's;https://;;g')

 

This worked great! 

Like Jim Fang likes this
Diogo Zedan June 22, 2021

This one works fine, but for the use case of assuming credentials from a different account it's still missing the role_arn to be assumed and the source_profile. A running version for assuming role would be:

script:
- apt-get update
- apt-get install -y python3-pip
- pip3 install awscli
- aws --profile deployment configure set aws_access_key_id $AWS_ACCESS_KEY_ID
- aws --profile deployment configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
- aws --profile deployment configure set role_arn $ROLE_ARN_NON_PROD
-
aws --profile deployment configure set source_profile deployment
- aws ecr get-login-password --region $AWS_REGION --profile deployment | docker login --username AWS --password-stdin $AWS_ECR

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events