You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
Next: Root
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
The Atlassian Community can help you and your team get more value out of Atlassian products and practices.
I created a role and a web identity on aws following the steps here: https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/
I have my bitbucket pipelines working fine with a role and identity provider against aws if I use my public/free bitbucket account.
But the same doesn't work with my cloud/corporate bitbucket.
The code in the pipelines that I am using is:
image: amazon/aws-cli
pipelines:
default:
- step:
oidc: true
script:
- export AWS_REGION=us-west-2
- export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/oidc-demo
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts get-caller-identity --no-cli-pager
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
I am not sure why it would work from my public free bitbucket account, but not from my corporate account. Is there any difference between those?
Of course, debugging it is extremely hard since bitbucket pipelines does not let us echo any of those variables to see if the values are actually correct.. :/
Another interesting thing is that, if I use simply this, it works:
image: amazon/aws-cli
pipelines:
default:
- step:
oidc: true
script:
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXX:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
But it looks like the authentication/session is gone when I try to run a second command, like:
image: amazon/aws-cli
pipelines:
default:
- step:
oidc: true
script:
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXX:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
- aws sts get-caller-identity --no-cli-pager
Which results in:
aws sts assume-role-with-web-identity --role-arn arn:aws:iam::057818844691:role/Dragos-BitbucketOIDCRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 10003s
+ aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXX:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
{
"Credentials": {
"AccessKeyId": "XXXXXXXXXXXXX",
"SecretAccessKey": "XXXX/ubniuhsaiodyhaeiyuer",
"SessionToken": "vrgteryt//////////regt456345h6n34574/h34567354h7n434765/h356737j365+gRY89waPsw9ds7lfzS8YdfP1Y1DWUMJpDBwXJucG/bZNLTqChR1iFJrTLSSwhGXi83Omw2kM3Y9pTctWsn8A7Bgxev7FpsNUwmnZRNOTwEBhGWwAv7zzVXRqXkNSlxY8cBhGd8MIlM5FFtsVo9Md8z9jvbyh4+aDLhp1h3oME2qGzKTkKelD0bowRkUnDGmSHTAp29gzkrGW3tDnYPG2+9Cb0dcjuAdakVHZxrBdkKv6Rd9bxjyi850CHx2TFhiMK0mbQIf9p6KQIn9iBuYblmZitlzsFsCwuSHWXWaB4P/EI307P+LTRJEvHZyfndBLjm6pUANfuVByz2sMg1ACFZVPwexWFuGp2VXGJ0vIgVne4+8CqZymwdfWhkvA7CEG0FGr3KwH5TO9M4K/vwrtrwebtb4w636egswbg56eb+0SRspFw4116djvmfNH75U0RY5PS7P/VgoOrjk3Ab5GnuWu6lwMzMMdIg7UVHkuLtxLxpJfy25WpjqhYQAe23IETSrb/jhYsmnhYXFRzLKvlppRK2AV60ZNIUA+cVYwj9u10Ya/bFKqn4YGijH4hO7aqZW1ha4bMa7Qs3cR7FeFeWzoEubTYEi0czPV8+oiTf45Ss3TfuLYHR+lW4vTDjVB6qP5VijnkoqUBjIncOVacjRewkrYiUtjTK3PEeXpkDsbQg8jc+9nOmlBMMl6OLCXwuv6",
"Expiration": "2022-05-16T17:43:43+00:00"
},
"SubjectFromWebIdentityToken": "{v3w4tw34-ae14-vtw3wbtw-96a9-bce3395a5394}:{v435234b5-12a2-4bd5-8863-v342b5423vg}",
"AssumedRoleUser": {
"AssumedRoleId": "XXXXXXXXXXX:build-session",
"Arn": "arn:aws:sts::XXXXXXXX:assumed-role/MyRole/build-session"
},
"Provider": "arn:aws:iam::XXXXXXXXX:oidc-provider/api.bitbucket.org/2.0/workspaces/xxxxx/pipelines-config/identity/oidc",
"Audience": "ari:cloud:bitbucket::workspace/vtbtw3t-295a-b56436363b-bv34654363246b"
}
aws sts get-caller-identity --no-cli-pager
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
But it's interesting that the same aws account works with my public free bitbucket account, and not with the paid bitbucket in my org.
Hello @kalib ,
Thank you for contacting Atlassian Community!
I've noticed you have opened an internal support ticket with us related to the same issue, but with the account where you have access to a Premium subscription.
I see that a support engineer is already working on that internal ticket, so in order to concentrate the discussion in just one place, I kindly ask you to continue working with our support engineering in the internal ticket.
If you have any question, please let me know!
Thank you, @kalib .
Kind regards,
Patrik S
What is the resolution for this? I am having a similar issue.
pipelines:
default:
- step:
name: Connect to AWS using OIDC
oidc: true
script:
- export AWS_REGION=$AWS_REGION
- export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- printenv BITBUCKET_STEP_OIDC_TOKEN
- printenv AWS_REGION
- printenv AWS_ROLE_ARN
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
PrintEnv Output:
printenv AWS_REGION
us-east-2
printenv AWS_ROLE_ARN
arn:aws:iam::1234567890:role/MyRole
printenv BITBUCKET_STEP_OIDC_TOKEN
<nothing here>
Error:
An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity
However when I use a pipe then everything works fine
- pipe: atlassian/aws-s3-deploy:1.1.0
variables:
AWS_DEFAULT_REGION: $AWS_REGION # Optional if already defined in the context or OIDC used.
AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN # Optional by default. Required for OpenID Connect (OIDC) authentication.
S3_BUCKET: mygreat-bucket
LOCAL_PATH: 'build'
CACHE_CONTROL: 'max-age=86400'
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
What is the resolution is along with the details of the problem I have, which is very much related. Reposting. Hopefully some one would help resolve.
pipelines:
default:
- step:
name: Connect to AWS using OIDC
oidc: true
script:
- export AWS_REGION=$AWS_REGION
- export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- printenv BITBUCKET_STEP_OIDC_TOKEN
- printenv AWS_REGION
- printenv AWS_ROLE_ARN
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
printenv AWS_REGION
us-east-2
printenv AWS_ROLE_ARN
arn:aws:iam::1234567890:role/MyRole
printenv BITBUCKET_STEP_OIDC_TOKEN
<nothing here>
An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity
- pipe: atlassian/aws-s3-deploy:1.1.0
variables:
AWS_DEFAULT_REGION: $AWS_REGION # Optional if already defined in the context or OIDC used.
AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN # Optional by default. Required for OpenID Connect (OIDC) authentication.
S3_BUCKET: mygreat-bucket
LOCAL_PATH: 'build'
CACHE_CONTROL: 'max-age=86400'
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Is there a resolution to this problem? I just posted a question and it got deleted. Whoa.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi @deb Yes, the following code worked for me:
image: amazon/aws-cli
pipelines:
default:
- step:
oidc: true
script:
- export AWS_REGION=us-west-2
- export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/oidc-demo
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts get-caller-identity --no-cli-pager
The reason why it was failing before is because I had some environment variables that I didn't know in my bitbucket workspace, so I just had to change this script a little bit to unset those variables, like this:
image: amazon/aws-cli
pipelines:
default:
- step:
oidc: true
script:
- unset AWS_SECRET_ACCESS_KEY
- unset AWS_ACCESS_KEY_ID
- export AWS_REGION=us-west-2
- export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/oidc-demo
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts get-caller-identity --no-cli-pager
So, as you can see, I just had to unset the variables AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID.
Try that and see if it works for you.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you @kalib
I did try the unset but it did not work for me. I will try this again. Maybe I will tear down the whole thing and retry.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
By the way, it looks like your error is not related to bitbucket. It seems to be a permissions issue:
An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity
That's the message you pasted here, so it looks like the role you're using on bitbucket does not have permissions to assume the role you want to assume.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Deb Mohan ,
I would like to ask if you could please create a new question for your issue, providing details on the errors you see. We generally encourage users to create a new question for their issue instead of posting on someone else’s question, because 1) the root cause and resolution may be different for each case 2) a question can become cluttered and difficult to follow if we try to troubleshoot multiple users’ issues in it. Please feel free to let me know if you have any questions.
Thank you, @Deb Mohan .
Kind regards,
Patrik S
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Will do and will also add the information on the roles that I am using to give you an insight in the issue.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.