Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Bitbucket pipelines integrations with AWS CodeArtifact via OIDC

Oren Shvalb August 3, 2023

Hi guys,

I'm following this article to make Bitbucket pipelines work with AWS Codeartifact but having troubles with it.

I've

  1. Created "Identity Provider" with URL & Audience from Bitbucket's OIDC settings.
  2. Created a AWS role with AWSCodeArtifactAdminAccess permissions and associated it with the Identity Provider
  3. Defined 2 Bitbucket's repository variables: AWS_REGION & AWS_ROLE_ARN.
  4. Created bitbucket-pipelines.yml file that looks like this:
image:
  name: XXXXXXXXXX.dkr.ecr.us-east-2.amazonaws.com/bitbucket-docker:1.0.0
  aws:
    oidc-role: arn:aws:iam::XXXXXXXXXX:role/bitbucket-pipelines
options:
  max-time: 30 # per-step timeout in minutes
pipelines:
  branches:
    develop:
      - step:
          oidc: true
          script:
            - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
            - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
            - aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXXXXX:role/bitbucket-pipelines --role-session-name build-session  --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
            - mvn verify deploy -e -DskipTests

 

When I run the pipelines I can see that I'm able to access the ECR docker image, but getting 401 authentication error when trying to deploy the maven artifacts (jar file).

I'm under the impression that I don't need to call aws codeartifact get-authorization-token since I authenticate via OIDC.

 

Here is the logs from CloudTrail:

"eventSource": "codeartifact.amazonaws.com",
"eventName": "PublishPackageVersion",
"awsRegion": "us-east-2",
"sourceIPAddress": "35.160.177.10",
"userAgent": "Apache-Maven/3.6.3 (Java 11.0.9; Linux 5.10.101)",
"errorCode": "AccessDenied",
"errorMessage": "Unauthenticated: request did not include an Authorization header. Please provide your credentials.",

 

 

Any idea what am I missing here?

1 answer

0 votes
Saxea _Flowie_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 3, 2023

I'm not familiar AWS CodeArtifact, but I think you need the token for Maven... The OIDC is for the AWS, not the repository, kind of how you still need a credential for DBs too.

Have you tried the using the the aws codeartifact get-authorization-token? Is it not working?

Oren Shvalb August 7, 2023

Yeah,

 

You're right - I was missing a call to `codeartifact get-authorization-token` - so I've added a call in the script and exported a `CODEARTIFACT_AUTH_TOKEN` variable for maven to pickup by the `settings.xml` file .

```

<server>
<id>modules</id>
<username>aws</username>
<password>${env.CODEARTIFACT_AUTH_TOKEN}</password>
</server>
```
but still it doesn't work... any idea?
Oren Shvalb August 7, 2023

Another question, 

 

In order to get temporarily CODEARTIFACT credentials I call

`aws sts assume-role-with-web-identity` with the ARN of the web-identity provider, but for the `--role-session-name` I input an arbitrary name - is that OK ?

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events