Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,293,734
Community Members
 
Community Events
165
Community Groups

Bitbucket pipelines cloud not able to assume a role on AWS with oidc

Edited

I created a role and a web identity on aws following the steps here: https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/

I have my bitbucket pipelines working fine with a role and identity provider against aws if I use my public/free bitbucket account.

But the same doesn't work with my cloud/corporate bitbucket.

The code in the pipelines that I am using is:

image: amazon/aws-cli

pipelines:
default:
- step:
oidc: true
script:
- export AWS_REGION=us-west-2
- export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/oidc-demo
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts get-caller-identity --no-cli-pager
I get: 
An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.

I am not sure why it would work from my public free bitbucket account, but not from my corporate account. Is there any difference between those?

Of course, debugging it is extremely hard since bitbucket pipelines does not let us echo any of those variables to see if the values are actually correct.. :/

Another interesting thing is that, if I use simply this, it works:

image: amazon/aws-cli
pipelines:
default:
- step:
oidc: true
script:
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXX:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000

But it looks like the authentication/session is gone when I try to run a second command, like:

image: amazon/aws-cli
pipelines:
default:
- step:
oidc: true
script:
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXX:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
- aws sts get-caller-identity --no-cli-pager

Which results in:

aws sts assume-role-with-web-identity --role-arn arn:aws:iam::057818844691:role/Dragos-BitbucketOIDCRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 10003s
+ aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXX:role/MyRole --role-session-name build-session  --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
{
"Credentials": {
"AccessKeyId": "XXXXXXXXXXXXX",
"SecretAccessKey": "XXXX/ubniuhsaiodyhaeiyuer",
"SessionToken": "vrgteryt//////////regt456345h6n34574/h34567354h7n434765/h356737j365+gRY89waPsw9ds7lfzS8YdfP1Y1DWUMJpDBwXJucG/bZNLTqChR1iFJrTLSSwhGXi83Omw2kM3Y9pTctWsn8A7Bgxev7FpsNUwmnZRNOTwEBhGWwAv7zzVXRqXkNSlxY8cBhGd8MIlM5FFtsVo9Md8z9jvbyh4+aDLhp1h3oME2qGzKTkKelD0bowRkUnDGmSHTAp29gzkrGW3tDnYPG2+9Cb0dcjuAdakVHZxrBdkKv6Rd9bxjyi850CHx2TFhiMK0mbQIf9p6KQIn9iBuYblmZitlzsFsCwuSHWXWaB4P/EI307P+LTRJEvHZyfndBLjm6pUANfuVByz2sMg1ACFZVPwexWFuGp2VXGJ0vIgVne4+8CqZymwdfWhkvA7CEG0FGr3KwH5TO9M4K/vwrtrwebtb4w636egswbg56eb+0SRspFw4116djvmfNH75U0RY5PS7P/VgoOrjk3Ab5GnuWu6lwMzMMdIg7UVHkuLtxLxpJfy25WpjqhYQAe23IETSrb/jhYsmnhYXFRzLKvlppRK2AV60ZNIUA+cVYwj9u10Ya/bFKqn4YGijH4hO7aqZW1ha4bMa7Qs3cR7FeFeWzoEubTYEi0czPV8+oiTf45Ss3TfuLYHR+lW4vTDjVB6qP5VijnkoqUBjIncOVacjRewkrYiUtjTK3PEeXpkDsbQg8jc+9nOmlBMMl6OLCXwuv6",
"Expiration": "2022-05-16T17:43:43+00:00"
},
"SubjectFromWebIdentityToken": "{v3w4tw34-ae14-vtw3wbtw-96a9-bce3395a5394}:{v435234b5-12a2-4bd5-8863-v342b5423vg}",
"AssumedRoleUser": {
"AssumedRoleId": "XXXXXXXXXXX:build-session",
"Arn": "arn:aws:sts::XXXXXXXX:assumed-role/MyRole/build-session"
},
"Provider": "arn:aws:iam::XXXXXXXXX:oidc-provider/api.bitbucket.org/2.0/workspaces/xxxxx/pipelines-config/identity/oidc",
"Audience": "ari:cloud:bitbucket::workspace/vtbtw3t-295a-b56436363b-bv34654363246b"
}

aws sts get-caller-identity --no-cli-pager

An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid
 

But it's interesting that the same aws account works with my public free bitbucket account, and not with the paid bitbucket in my org.

1 answer

0 votes
Patrik S Atlassian Team May 17, 2022

Hello @kalib ,

Thank you for contacting Atlassian Community!

I've noticed you have opened an internal support ticket with us related to the same issue, but with the account where you have access to a Premium subscription.

I see that a support engineer is already working on that internal ticket, so in order to concentrate the discussion in just one place, I kindly ask you to continue working with our support engineering in the internal ticket.

If you have any question, please let me know!

Thank you, @kalib .

Kind regards,

Patrik S

What is the resolution for this? I am having a similar issue.

pipelines:
default:
- step:
name: Connect to AWS using OIDC
oidc: true
script:
- export AWS_REGION=$AWS_REGION
- export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- printenv BITBUCKET_STEP_OIDC_TOKEN
- printenv AWS_REGION
- printenv AWS_ROLE_ARN
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000

PrintEnv Output:
printenv AWS_REGION
us-east-2

printenv AWS_ROLE_ARN
arn:aws:iam::1234567890:role/MyRole

printenv BITBUCKET_STEP_OIDC_TOKEN
<nothing here>

Error:
An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity
However when I use a pipe then everything works fine
- pipe: atlassian/aws-s3-deploy:1.1.0
variables:
AWS_DEFAULT_REGION: $AWS_REGION # Optional if already defined in the context or OIDC used.
AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN # Optional by default. Required for OpenID Connect (OIDC) authentication.
S3_BUCKET: mygreat-bucket
LOCAL_PATH: 'build'
CACHE_CONTROL: 'max-age=86400'

 What is the resolution is along with the details of the problem I have, which is very much related. Reposting. Hopefully some one would help resolve.

pipelines:

default:

- step:

name: Connect to AWS using OIDC

oidc: true

script:

- export AWS_REGION=$AWS_REGION

- export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole

- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token

- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token

- printenv BITBUCKET_STEP_OIDC_TOKEN

- printenv AWS_REGION

- printenv AWS_ROLE_ARN

- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
PrintEnv Output:
printenv AWS_REGION

us-east-2


printenv AWS_ROLE_ARN

arn:aws:iam::1234567890:role/MyRole


printenv BITBUCKET_STEP_OIDC_TOKEN

<nothing here>
 
Error:
An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity
However when I use a pipe then everything works fine
- pipe: atlassian/aws-s3-deploy:1.1.0

variables:

AWS_DEFAULT_REGION: $AWS_REGION # Optional if already defined in the context or OIDC used.

AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN # Optional by default. Required for OpenID Connect (OIDC) authentication.

S3_BUCKET: mygreat-bucket

LOCAL_PATH: 'build'

CACHE_CONTROL: 'max-age=86400'

Is there a resolution to this problem? I just posted a question and it got deleted. Whoa.

Hi @deb Yes, the following code worked for me:

image: amazon/aws-cli

pipelines:
default:
- step:
oidc: true
script:
- export AWS_REGION=us-west-2
- export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/oidc-demo
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts get-caller-identity --no-cli-pager

The reason why it was failing before is because I had some environment variables that I didn't know in my bitbucket workspace, so I just had to change this script a little bit to unset those variables, like this:

image: amazon/aws-cli

pipelines:
default:
- step:
oidc: true
script:
- unset AWS_SECRET_ACCESS_KEY
- unset AWS_ACCESS_KEY_ID
- export AWS_REGION=us-west-2
- export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/oidc-demo
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts get-caller-identity --no-cli-pager

So, as you can see, I just had to unset the variables AWS_SECRET_ACCESS_KEY and AWS_ACCESS_KEY_ID.

Try that and see if it works for you.

Thank you @kalib

I did try the unset but it did not work for me. I will try this again. Maybe I will tear down the whole thing and retry.

By the way, it looks like your error is not related to bitbucket. It seems to be a permissions issue:

An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity

That's the message you pasted here, so it looks like the role you're using on bitbucket does not have permissions to assume the role you want to assume.

Patrik S Atlassian Team May 30, 2022

Hello @Deb Mohan ,

I would like to ask if you could please create a new question for your issue, providing details on the errors you see. We generally encourage users to create a new question for their issue instead of posting on someone else’s question, because 1) the root cause and resolution may be different for each case 2) a question can become cluttered and difficult to follow if we try to troubleshoot multiple users’ issues in it. Please feel free to let me know if you have any questions.

Thank you, @Deb Mohan .

Kind regards,

Patrik S

Like # people like this

Will do and will also add the information on the roles that I am using to give you an insight in the issue.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
Community showcase
Published in Bitbucket

Git push size limits are coming to Bitbucket Cloud starting April 4th, 2022

Beginning on April 4th, we will be implementing push limits. This means that your push cannot be completed if it is over 3.5 GB. If you do attempt to complete a push that is over 3.5 GB, it will fail...

2,112 views 2 9
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you