Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

OIDC Pipelines do not working (Not authorized to perform sts:AssumeRoleWithWebIdentity)

Marco Tanaka
Marco Tanaka July 1, 2022

Pipelines deployment is failing when trying to connect to AWS through OIDC.

I assume it's not a permission issue, as even adding AdministratorAccess Policy to the OIDC Role, the authentication does not work.

 

WARNING: Refreshing temporary credentials failed during mandatory refresh period.
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/botocore/credentials.py", line 529, in _protected_refresh
metadata = self._refresh_using()
File "/usr/local/lib/python3.9/site-packages/botocore/credentials.py", line 670, in fetch_credentials
return self._get_cached_credentials()
File "/usr/local/lib/python3.9/site-packages/botocore/credentials.py", line 680, in _get_cached_credentials
response = self._get_credentials()
File "/usr/local/lib/python3.9/site-packages/botocore/credentials.py", line 890, in _get_credentials
return client.assume_role_with_web_identity(**kwargs)
File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 386, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 705, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity
Answer
Watch
Like Be the first to like this
2240 views

2 answers

1 vote
Marco Tanaka
Marco Tanaka July 7, 2022

The problem was that I had a conditional policy in my OIDC Role Trus Relationship that allowed a specific range of IPs from Bitbucket.

I took those IPs from this documentation: https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/


I don't know why Bitbucket Pipelines was using another IP to connect to my AWS OIDC.

 

So now, I merged another IP list from this documentation: https://support.atlassian.com/organization-administration/docs/ip-addresses-and-domains-for-atlassian-cloud-products/#Outgoing-Connections

 

And now it's working again.

View More Comments
Oleksandr Kyrdan
Oleksandr Kyrdan
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 12, 2022

@Marco Tanaka 

Thanks for knowledge sharing and contributing to the community!

Like
Reply
0 votes
Oleksandr Kyrdan
Oleksandr Kyrdan
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 7, 2022

Hi @Marco Tanaka

Thank you for your question!

Make sure that you setup properly OIDC access on AWS according to the Deploy on AWS using Bitbucket Pipelines OpenID Connect guide.

 

Best regards,
Oleksandr

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PERMISSIONS LEVEL
Site Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events