Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Removed AWS_ACCESS_KEY_ID yet it still builds

rraboy
rraboy June 19, 2021

Hi, I'm trying to figure out why my build uses a different AWS_ACCESS_KEY_ID.

 

Here are the things I've tried so far

  • I've created an AWS user for bitbucket pipeline and set AWS_ACCESS_KEY_ID(whenever I refer to this, it also includes the secret var) in the repo's Repository Variables
  • at the beginning of the pipeline, I print what was the identity awscli was using by `aws sts get-caller-identity`.  I got a completely different identity!
  • So I removed AWS_ACCESS_KEY_ID from the Repository Variables. Same thing, still getting the wrong identity.
  • I checked the workspace variables, AWS_ACCESS_KEY_ID is not set there.
  • I checked my repo for all AWS related variables/script/configurations/passwords/etc but nothing. I don't commit keys in the repo.

 

So where else could variable AWS_ACCESS_KEY_ID be set? Am I missing something here?

 

Here is a snippet of my pipeline:


pipelines:
default:
- step:
name: Build & Deploy
image: node:14
caches:
- node
script:
- //do build
artifacts:
- dist/**
- step:
name: Deploy to S3
image: amazon/aws-cli
deployment: production
script:
- aws sts get-caller-identity
- ls -ltR dist/
- aws s3 sync ... --acl=public-read
- aws cloudfront create-invalidation ...

 

 

Answer
Watch
Like Be the first to like this
288 views

1 answer

2 votes
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 22, 2021

Hi @rraboy ,

I can see that the step where you use the "aws sts get-caller-identity" command is a deployment step.

It is possible that there is a deployment variable with the name AWS_ACCESS_KEY_ID for the environment 'production', which would explain the behavior you are seeing. If the same name is used for repository, workspace, and deployment variables, the order of overrides is Deployment > Repository > Account > Default variables.

If you navigate to this repo in Bitbucket UI, select Repository settings > then select the option Deployments (it is right above the Repository variables option) > expand the environment named 'production', can you see any variable named AWS_ACCESS_KEY_ID for that environment?

Kind regards,
Theodora

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events