Hi guys,
I'm following this article to make Bitbucket pipelines work with AWS Codeartifact but having troubles with it.
I've
AWSCodeArtifactAdminAccess
permissions and associated it with the Identity ProviderAWS_REGION
& AWS_ROLE_ARN
.bitbucket-pipelines.yml
file that looks like this:image:
name: XXXXXXXXXX.dkr.ecr.us-east-2.amazonaws.com/bitbucket-docker:1.0.0
aws:
oidc-role: arn:aws:iam::XXXXXXXXXX:role/bitbucket-pipelines
options:
max-time: 30 # per-step timeout in minutes
pipelines:
branches:
develop:
- step:
oidc: true
script:
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXXXXX:role/bitbucket-pipelines --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
- mvn verify deploy -e -DskipTests
When I run the pipelines I can see that I'm able to access the ECR docker image, but getting 401 authentication error when trying to deploy the maven artifacts (jar file).
I'm under the impression that I don't need to call aws codeartifact get-authorization-token
since I authenticate via OIDC.
Here is the logs from CloudTrail:
"eventSource": "codeartifact.amazonaws.com",
"eventName": "PublishPackageVersion",
"awsRegion": "us-east-2",
"sourceIPAddress": "35.160.177.10",
"userAgent": "Apache-Maven/3.6.3 (Java 11.0.9; Linux 5.10.101)",
"errorCode": "AccessDenied",
"errorMessage": "Unauthenticated: request did not include an Authorization header. Please provide your credentials.",
Any idea what am I missing here?
I'm not familiar AWS CodeArtifact, but I think you need the token for Maven... The OIDC is for the AWS, not the repository, kind of how you still need a credential for DBs too.
Have you tried the using the the aws codeartifact get-authorization-token?
Is it not working?
Yeah,
You're right - I was missing a call to `codeartifact get-authorization-token` - so I've added a call in the script and exported a `CODEARTIFACT_AUTH_TOKEN` variable for maven to pickup by the `settings.xml` file .
```
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Another question,
In order to get temporarily CODEARTIFACT credentials I call
`aws sts assume-role-with-web-identity` with the ARN of the web-identity provider, but for the `--role-session-name` I input an arbitrary name - is that OK ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.