Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Using OpenID Connect to pull private images from ECR

Luiz Rocha
Luiz Rocha May 6, 2021

Pipeline fails when using OpenID Connect functionality to pull private images from ECR

  • OIDC role has access to ECR

image.pngimage.png

Answer
Watch
Like Be the first to like this
1823 views

3 answers

1 accepted

3 votes
Answer accepted
mkleint
mkleint
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 13, 2021

Can you share your IAM role's trust relationship definition? Access denied is usually returned by ECR when the conditions in trust relations are not met

View More Comments
Luiz Rocha
Luiz Rocha May 16, 2021 
{ "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::{AWS_ACCOUNT_NUMBER}:oidc-provider/api.bitbucket.org/2.0/workspaces/{WORKSPACE}/pipelines-config/identity/oidc" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "api.bitbucket.org/2.0/workspaces/{WORKSPACE}/pipelines-config/identity/oidc:sub": "*:*" } } }

Hi, above is the IAM role trust relationship definitions. This is the instructions I followed: https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/ 

Like
mkleint
mkleint
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 16, 2021

oh, it looks like we are referencing the wrong documentation from https://support.atlassian.com/bitbucket-cloud/docs/use-docker-images-as-build-environments/#Private-images-hosted-by-AWS-ECR--EC2-Container-Registry-

 

it should point to https://support.atlassian.com/bitbucket-cloud/docs/use-aws-ecr-images-in-pipelines-with-openid-connect/ where the relevant IAM role conditions actually allow pulling ECR images

Like Steffen Opel _Utoolity_ likes this
Luiz Rocha
Luiz Rocha May 16, 2021

Yes, but I shared the IAM role trust relationship. The IAM permissions already have the required permissions as the documentation as well. I added a wild card to check if there was any missed permissions however the issue still happening. 

 {
    "Sid": "",
    "Effect": "Allow",
    "Action": [
    "sts:Get*"
    ],
    "Resource": "*"
},
{
    "Sid": "",
    "Effect": "Allow",
    "Action": "ecr:*",
    "Resource": "*"
Like
mkleint
mkleint
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 17, 2021

ok,

just to be sure, you actually have the real account number in place of

{AWS_ACCOUNT_NUMBER}

and real workspace name in place of

{WORKSPACE}

?

what is the oidc url and audience you are using?

 

in our tests we have something along the lines of

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::99999999999999:oidc-provider/api.bitbucket.org/2.0/workspaces/XXXXXXXX/pipelines-config/identity/oidc"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"api.bitbucket.org/2.0/workspaces/XXXXXXXX/pipelines-config/identity/oidc:aud": "ari:cloud:bitbucket::workspace/fffffffff-ffff-ffff-fffff-ffffffff"
}
}
}
]
}

I suppose the StringLike + "*:* should work fine too. Maybe first try with something similar to what we have in the docs and start tweaking it step by step.

Like
Luiz Rocha
Luiz Rocha May 17, 2021

Thanks for your answers @mkleint . It seems that there is an issue when I add the condition to allow only requests from Bitbucket Pipelines IP range to assume the role because when I remove the IP conditions it works. How can I add both of the conditions without getting ECR denied? Here is the documentation I followed to add the Bitbucket IP range restriction https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/ 

{ "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::{AWS_ACCOUNT_NUMBER}:oidc-provider/api.bitbucket.org/2.0/workspaces/{WORKSPACE}/pipelines-config/identity/oidc" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringLike": { "api.bitbucket.org/2.0/workspaces/{WORKSPACE}/pipelines-config/identity/oidc:sub": "{REPO_UUID}:*" }, "IpAddress": { "aws:SourceIp": [ "34.199.54.113/32", "34.232.25.90/32", "34.232.119.183/32", "34.236.25.177/32", "35.171.175.212/32", "52.54.90.98/32", "52.202.195.162/32", "52.203.14.55/32", "52.204.96.37/32", "34.218.156.209/32", "34.218.168.212/32", "52.41.219.63/32", "35.155.178.254/32", "35.160.177.10/32", "34.216.18.129/32" ] } } }
Like
mkleint
mkleint
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 17, 2021

Yeah, for ECR images, your IP ranges will be different from the general pipelines usecase. The ECR login dance is done outside of the kubernetes cluster in our services as we need to pass the correct login token to the kubernetes pod definition already. Please check https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/ (last section) on the IP ranges you need to add for the ECR usecase. It could be that you will need to keep both ranges in your definition as the access is split between the service and the kubernetes cluster.

Like Steffen Opel _Utoolity_ likes this
Luiz Rocha
Luiz Rocha May 17, 2021

Added ip range from the last section but still not working

 "104.192.136.0/21", "13.236.8.128/25", "13.52.5.0/25", "18.136.214.0/25", "18.184.99.128/25", "18.205.93.0/27", "18.234.32.128/25", "18.246.31.128/25", "185.166.140.0/22", "2401:1d80:3000::/36", "2406:da18:809:e00::/56", "2406:da1c:1e0:a200::/56", "2600:1f14:824:300::/56", "2600:1f18:2146:e300::/56", "2600:1f1c:cc5:2300::/56", "2a05:d014:f99:dd00::/56", "2a05:d018:34d:5800::/56", "34.199.54.113/32", "34.216.18.129/32", "34.218.156.209/32", "34.218.168.212/32", "34.232.119.183/32", "34.232.25.90/32", "34.236.25.177/32", "35.155.178.254/32", "35.160.177.10/32", "35.171.175.212/32", "52.202.195.162/32", "52.203.14.55/32", "52.204.96.37/32", "52.215.192.128/25", "52.41.219.63/32", "52.54.90.98/32"
Like
mkleint
mkleint
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 17, 2021

I suppose you will have to debug that from cloud trail. Not sure if what you pasted is the whole list but I meant this bit from the document (see screenshot)

Screen Shot 2021-05-18 at 2.54.31 pm.png

Like
Luiz Rocha
Luiz Rocha May 17, 2021

I got all IPs from the "Atlassian cloud IP ranges for AWS ECR" and added to the IP ranges for general pipeline use cases.

Like
mkleint
mkleint
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 18, 2021

I'm investigating this. it indeed looks like the source IP is not from the ranges declared.

Like Luiz Rocha likes this
mkleint
mkleint
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 24, 2021

@Luiz Rocha I've found the problem. Due to a coding mistake we were routing some calls via the public IPs (ecr login itself) but  some were omitted (sts assume role with web identity). I have a fix ready but due to unrelated circumstances can't deploy right now. Should be fixed by the edn of the week. I'll let ya know. Thanks for reporting the problem.

Like Steffen Opel _Utoolity_ likes this
Luiz Rocha
Luiz Rocha May 24, 2021

Good news! Thanks for you support @mkleint 

Like
mkleint
mkleint
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 25, 2021

The patch has been deployed and the following ip range definition worked for me. (as per documentation)

 "IpAddress": {
"aws:SourceIp": [
"34.199.54.113/32",
"34.232.25.90/32",
"34.232.119.183/32",
"34.236.25.177/32",
"35.171.175.212/32",
"52.54.90.98/32",
"52.202.195.162/32",
"52.203.14.55/32",
"52.204.96.37/32",
"34.218.156.209/32",
"34.218.168.212/32",
"52.41.219.63/32",
"35.155.178.254/32",
"35.160.177.10/32",
"34.216.18.129/32",
"52.41.219.63/32",
"34.216.18.129/32",
"13.236.8.128/25",
"18.246.31.128/25",
"34.236.25.177/32",
"185.166.140.0/22",
"34.199.54.113/32",
"35.155.178.254/32",
"52.204.96.37/32",
"35.160.177.10/32",
"52.203.14.55/32",
"18.184.99.128/25",
"52.215.192.128/25",
"104.192.136.0/21",
"18.205.93.0/27",
"35.171.175.212/32",
"18.136.214.0/25",
"52.202.195.162/32",
"13.52.5.0/25",
"34.218.168.212/32",
"18.234.32.128/25",
"34.218.156.209/32",
"52.54.90.98/32",
"34.232.119.183/32",
"34.232.25.90/32"
]
}
Like Steffen Opel _Utoolity_ likes this
Luiz Rocha
Luiz Rocha May 26, 2021

Yesss, it works now! Fantastic job and answers @mkleint. Thank you!

Like
Reply
0 votes
Fernando Lapa
Fernando Lapa
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 19, 2023

@mkleint please, can you update the documentation in this link with this information?

https://support.atlassian.com/bitbucket-cloud/docs/use-aws-ecr-images-in-pipelines-with-openid-connect/

Reply
0 votes
Halyna Berezovska
Halyna Berezovska
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 13, 2021

@Luiz Rocha thanks for raising the issue. If you have some related logs, please share that, it will help to discover root cause.

Cheers, Galyna

View More Comments
Luiz Rocha
Luiz Rocha May 16, 2021

image.png

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events