Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

BitBucket Pipelines - AWS Assume roles

What I need:

I'm using BitBucket Pipelines to run my build and deployment tasks targeted for AWS Lambda functions. Our AWS configuration requires that the AWS CLI commands run under an assumed role which will target a different AWS account - one for each environment (e.g. Test, Staging, Production, etc).


What I've tried:

  • I tried to update the ~/.aws/credentials during a pipeline step (this was what is required during local builds) but the file seems not accessible (no access to /root?)
  • I tried to configure the `AWS_SHARED_CREDENTIALS_FILE` env to point to a local `aws_credentials` file but that didn't work.


Any ideas?

1 answer

The aws cli assume role ( is easiest to use through the aws config files,  alternative being to do aws sts assume-role, which doesn't easily work with bitbucket.

I'd applied this with the following ugly hack,

set up the following environment variables, adjust <values> to suit your needs:



AWS_CONFIG_CONTENT=[default]\nregion = <Organization-region>\n[profile bitbot]\nregion = <assumed-builder-role-region>

AWS_CREDS_CONTENT=[default]\naws_access_key_id = <Organization-user-key-id>\naws_secret_access_key = <Organization-user-secret-token>\n[bitbot]\nrole_arn = arn:aws:iam::<Organization-AWS-A/C-No.>:role/<assumed-builder-role>\nsource_profile = default



Then in the bitbucket pipeline, inject the aws config file content :




   - eval $(aws ecr get-login --no-include-email)


Hi, in my case, what helped was to define the commands using the awscli configure tool, setting the profile and assuming the role afterwards.


- yum install -y python3-pip

- pip3 install awscli

- aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID

- aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY

- aws configure set region $AWS_REGION --profile sandbox

- aws configure set profile.sandbox.role_arn "${ROLE_ARN}"

- aws configure set profile.sandbox.source_profile default

- eval $(aws ecr get-login --no-include-email --region ${AWS_REGION} --profile sandbox | sed 's;https://;;g')


This worked great! 

Like Jim Fang likes this

This one works fine, but for the use case of assuming credentials from a different account it's still missing the role_arn to be assumed and the source_profile. A running version for assuming role would be:

- apt-get update
- apt-get install -y python3-pip
- pip3 install awscli
- aws --profile deployment configure set aws_access_key_id $AWS_ACCESS_KEY_ID
- aws --profile deployment configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY
- aws --profile deployment configure set role_arn $ROLE_ARN_NON_PROD
aws --profile deployment configure set source_profile deployment
- aws ecr get-login-password --region $AWS_REGION --profile deployment | docker login --username AWS --password-stdin $AWS_ECR

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

Git push size limits are coming to Bitbucket Cloud starting April 4th, 2022

Beginning on April 4th, we will be implementing push limits. This means that your push cannot be completed if it is over 3.5 GB. If you do attempt to complete a push that is over 3.5 GB, it will fail...

2,186 views 2 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you