Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

BitBucket Pipelines - AWS Assume roles

What I need:

I'm using BitBucket Pipelines to run my build and deployment tasks targeted for AWS Lambda functions. Our AWS configuration requires that the AWS CLI commands run under an assumed role which will target a different AWS account - one for each environment (e.g. Test, Staging, Production, etc).

 

What I've tried:

  • I tried to update the ~/.aws/credentials during a pipeline step (this was what is required during local builds) but the file seems not accessible (no access to /root?)
  • I tried to configure the `AWS_SHARED_CREDENTIALS_FILE` env to point to a local `aws_credentials` file but that didn't work.

 

Any ideas?

1 answer

The aws cli assume role (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html) is easiest to use through the aws config files,  alternative being to do aws sts assume-role, which doesn't easily work with bitbucket.

I'd applied this with the following ugly hack,

set up the following environment variables, adjust <values> to suit your needs:

AWS_PROFILE=bitbot
AWS_CONFIG_FILE=/tmp/.awsconfig

AWS_SHARED_CREDENTIALS_FILE=/tmp/.awscreds

AWS_CONFIG_CONTENT=[default]\nregion = <Organization-region>\n[profile bitbot]\nregion = <assumed-builder-role-region>

AWS_CREDS_CONTENT=[default]\naws_access_key_id = <Organization-user-key-id>\naws_secret_access_key = <Organization-user-secret-token>\n[bitbot]\nrole_arn = arn:aws:iam::<Organization-AWS-A/C-No.>:role/<assumed-builder-role>\nsource_profile = default

and made sure AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are NOT set

 

Then in the bitbucket pipeline, inject the aws config file content :

script:

   - echo -e $AWS_CONFIG_CONTENT > $AWS_CONFIG_FILE

   - echo -e $AWS_CREDS_CONTENT > $AWS_SHARED_CREDENTIALS_FILE

   - eval $(aws ecr get-login --no-include-email)

   ......

Hi, in my case, what helped was to define the commands using the awscli configure tool, setting the profile and assuming the role afterwards.

- TAG=${BITBUCKET_BRANCH:-$BITBUCKET_TAG}

- yum install -y python3-pip

- pip3 install awscli

- aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID

- aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY

- aws configure set region $AWS_REGION --profile sandbox

- aws configure set profile.sandbox.role_arn "${ROLE_ARN}"

- aws configure set profile.sandbox.source_profile default

- eval $(aws ecr get-login --no-include-email --region ${AWS_REGION} --profile sandbox | sed 's;https://;;g')

 

This worked great! 

Like Jim Fang likes this

This one works fine, but for the use case of assuming credentials from a different account it's still missing the role_arn to be assumed and the source_profile. A running version for assuming role would be:

script:
- apt-get update
- apt-get install -y python3-pip
- pip3 install awscli
- aws --profile deployment configure set aws_access_key_id $AWS_ACCESS_KEY_ID
- aws --profile deployment configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
- aws --profile deployment configure set role_arn $ROLE_ARN_NON_PROD
-
aws --profile deployment configure set source_profile deployment
- aws ecr get-login-password --region $AWS_REGION --profile deployment | docker login --username AWS --password-stdin $AWS_ECR

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

New improvements to user management in Bitbucket Cloud 👥

Hey Community! We’re willing to wager that quite a few of you not only use Bitbucket, but administer it too. Our team is excited to share that we’ll be releasing improvements throughout this month of...

3,744 views 10 16
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you