Bitbucket pipelines cloud not able to assume a role on AWS with oidc

kalib May 16, 2022

I created a role and a web identity on aws following the steps here: https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/

I have my bitbucket pipelines working fine with a role and identity provider against aws if I use my public/free bitbucket account.

But the same doesn't work with my cloud/corporate bitbucket.

The code in the pipelines that I am using is:

image: amazon/aws-cli

pipelines:
default:
- step:
oidc: true
script:
- export AWS_REGION=us-west-2
- export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/oidc-demo
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts get-caller-identity --no-cli-pager
I get: 
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

I am not sure why it would work from my public free bitbucket account, but not from my corporate account. Is there any difference between those?

Of course, debugging it is extremely hard since bitbucket pipelines does not let us echo any of those variables to see if the values are actually correct.. :/

Another interesting thing is that, if I use simply this, it works:

image: amazon/aws-cli
pipelines:
default:
- step:
oidc: true
script:
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXX:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000

But it looks like the authentication/session is gone when I try to run a second command, like:

image: amazon/aws-cli
pipelines:
default:
- step:
oidc: true
script:
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXX:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
- aws sts get-caller-identity --no-cli-pager

Which results in:

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::057818844691:role/Dragos-BitbucketOIDCRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 10003s
+ aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXX:role/MyRole --role-session-name build-session  --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
{
"Credentials": {
"AccessKeyId": "XXXXXXXXXXXXX",
"SecretAccessKey": "XXXX/ubniuhsaiodyhaeiyuer",
"SessionToken": "vrgteryt//////////regt456345h6n34574/h34567354h7n434765/h356737j365+gRY89waPsw9ds7lfzS8YdfP1Y1DWUMJpDBwXJucG/bZNLTqChR1iFJrTLSSwhGXi83Omw2kM3Y9pTctWsn8A7Bgxev7FpsNUwmnZRNOTwEBhGWwAv7zzVXRqXkNSlxY8cBhGd8MIlM5FFtsVo9Md8z9jvbyh4+aDLhp1h3oME2qGzKTkKelD0bowRkUnDGmSHTAp29gzkrGW3tDnYPG2+9Cb0dcjuAdakVHZxrBdkKv6Rd9bxjyi850CHx2TFhiMK0mbQIf9p6KQIn9iBuYblmZitlzsFsCwuSHWXWaB4P/EI307P+LTRJEvHZyfndBLjm6pUANfuVByz2sMg1ACFZVPwexWFuGp2VXGJ0vIgVne4+8CqZymwdfWhkvA7CEG0FGr3KwH5TO9M4K/vwrtrwebtb4w636egswbg56eb+0SRspFw4116djvmfNH75U0RY5PS7P/VgoOrjk3Ab5GnuWu6lwMzMMdIg7UVHkuLtxLxpJfy25WpjqhYQAe23IETSrb/jhYsmnhYXFRzLKvlppRK2AV60ZNIUA+cVYwj9u10Ya/bFKqn4YGijH4hO7aqZW1ha4bMa7Qs3cR7FeFeWzoEubTYEi0czPV8+oiTf45Ss3TfuLYHR+lW4vTDjVB6qP5VijnkoqUBjIncOVacjRewkrYiUtjTK3PEeXpkDsbQg8jc+9nOmlBMMl6OLCXwuv6",
"Expiration": "2022-05-16T17:43:43+00:00"
},
"SubjectFromWebIdentityToken": "{v3w4tw34-ae14-vtw3wbtw-96a9-bce3395a5394}:{v435234b5-12a2-4bd5-8863-v342b5423vg}",
"AssumedRoleUser": {
"AssumedRoleId": "XXXXXXXXXXX:build-session",
"Arn": "arn:aws:sts::XXXXXXXX:assumed-role/MyRole/build-session"
},
"Provider": "arn:aws:iam::XXXXXXXXX:oidc-provider/api.bitbucket.org/2.0/workspaces/xxxxx/pipelines-config/identity/oidc",
"Audience": "ari:cloud:bitbucket::workspace/vtbtw3t-295a-b56436363b-bv34654363246b"
}

aws sts get-caller-identity --no-cli-pager

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
 

But it's interesting that the same aws account works with my public free bitbucket account, and not with the paid bitbucket in my org.

1 answer

0 votes
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 17, 2022

Hello @kalib ,

Thank you for contacting Atlassian Community!

I've noticed you have opened an internal support ticket with us related to the same issue, but with the account where you have access to a Premium subscription.

I see that a support engineer is already working on that internal ticket, so in order to concentrate the discussion in just one place, I kindly ask you to continue working with our support engineering in the internal ticket.

If you have any question, please let me know!

Thank you, @kalib .

Kind regards,

Patrik S

Deb Mohan May 26, 2022

What is the resolution for this? I am having a similar issue.

pipelines:
default:
- step:
name: Connect to AWS using OIDC
oidc: true
script:
- export AWS_REGION=$AWS_REGION
- export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- printenv BITBUCKET_STEP_OIDC_TOKEN
- printenv AWS_REGION
- printenv AWS_ROLE_ARN
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000

PrintEnv Output:
printenv AWS_REGION
us-east-2

printenv AWS_ROLE_ARN
arn:aws:iam::1234567890:role/MyRole

printenv BITBUCKET_STEP_OIDC_TOKEN
<nothing here>

Error:
An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity
However when I use a pipe then everything works fine
- pipe: atlassian/aws-s3-deploy:1.1.0
variables:
AWS_DEFAULT_REGION: $AWS_REGION # Optional if already defined in the context or OIDC used.
AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN # Optional by default. Required for OpenID Connect (OIDC) authentication.
S3_BUCKET: mygreat-bucket
LOCAL_PATH: 'build'
CACHE_CONTROL: 'max-age=86400'

Deb Mohan May 26, 2022

 What is the resolution is along with the details of the problem I have, which is very much related. Reposting. Hopefully some one would help resolve.

pipelines:

default:

- step:

name: Connect to AWS using OIDC

oidc: true

script:

- export AWS_REGION=$AWS_REGION

- export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole

- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token

- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token

- printenv BITBUCKET_STEP_OIDC_TOKEN

- printenv AWS_REGION

- printenv AWS_ROLE_ARN

- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
PrintEnv Output:
printenv AWS_REGION

us-east-2


printenv AWS_ROLE_ARN

arn:aws:iam::1234567890:role/MyRole


printenv BITBUCKET_STEP_OIDC_TOKEN

<nothing here>
 
Error:
An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity
However when I use a pipe then everything works fine
- pipe: atlassian/aws-s3-deploy:1.1.0

variables:

AWS_DEFAULT_REGION: $AWS_REGION # Optional if already defined in the context or OIDC used.

AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN # Optional by default. Required for OpenID Connect (OIDC) authentication.

S3_BUCKET: mygreat-bucket

LOCAL_PATH: 'build'

CACHE_CONTROL: 'max-age=86400'
Deb Mohan May 26, 2022

Is there a resolution to this problem? I just posted a question and it got deleted. Whoa.

kalib May 27, 2022

Hi @deb Yes, the following code worked for me:

image: amazon/aws-cli

pipelines:
default:
- step:
oidc: true
script:
- export AWS_REGION=us-west-2
- export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/oidc-demo
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts get-caller-identity --no-cli-pager

The reason why it was failing before is because I had some environment variables that I didn't know in my bitbucket workspace, so I just had to change this script a little bit to unset those variables, like this:

image: amazon/aws-cli

pipelines:
default:
- step:
oidc: true
script:
- unset AWS_SECRET_ACCESS_KEY
- unset AWS_ACCESS_KEY_ID
- export AWS_REGION=us-west-2
- export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/oidc-demo
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts get-caller-identity --no-cli-pager

So, as you can see, I just had to unset the variables AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID.

Try that and see if it works for you.

Like Florian Dröge likes this
Deb Mohan May 27, 2022

Thank you @kalib

I did try the unset but it did not work for me. I will try this again. Maybe I will tear down the whole thing and retry.

kalib May 30, 2022

By the way, it looks like your error is not related to bitbucket. It seems to be a permissions issue:

An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity

That's the message you pasted here, so it looks like the role you're using on bitbucket does not have permissions to assume the role you want to assume.

Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 30, 2022

Hello @Deb Mohan ,

I would like to ask if you could please create a new question for your issue, providing details on the errors you see. We generally encourage users to create a new question for their issue instead of posting on someone else’s question, because 1) the root cause and resolution may be different for each case 2) a question can become cluttered and difficult to follow if we try to troubleshoot multiple users’ issues in it. Please feel free to let me know if you have any questions.

Thank you, @Deb Mohan .

Kind regards,

Patrik S

Like # people like this
Deb Mohan May 31, 2022

Will do and will also add the information on the roles that I am using to give you an insight in the issue.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events