0

I'm using Bitbucket as a source control service and I'm interested to start using its pipelines capability to build and deploy my app. I'm using AWS CodeArtifact to host my Java artifacts.

The thing I'm struggle with is how to authenticate AWS CodeArtifact from the Bitbucket pipelines.

How to run

aws sso login --profile XXXX
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token ....

Is there a best practice to deal with this??

Shvalb
  • 1,835
  • 2
  • 30
  • 60

2 Answers2

2

I think the exportation of the CODEARTIFACT_AUTH_TOKEN env var is quite fine. For the first authentication to AWS, you probably want to take a look into Bitbucket OIDC capabilities:

Essentially, setting up an identity provider in you AWS account that will let your pipelines assume a role by just declaring

 - step:
     name: My pipeline
     oidc: true
     ...

(also exporting an AWS_ROLE_ARN somewhere)

Identities and the assumed roles can be set up to granular clearance levels per repository, deployment stage, etc

Setting up an OIDC identity provider can be cumbersome. You might be interested in giving https://registry.terraform.io/modules/calidae/bitbucket-oidc/aws/latest a look, even if you weren't using terraform.

N1ngu
  • 2,862
  • 17
  • 35
  • Thanks for your answer! I've done some more readings and understood that I need to access AWS programatically by generating `access key` and `secret access key` - this will allow me to get the credentials without calling `aws sso login --profile xxx` – Shvalb May 12 '22 at 16:13
  • 1
    Access and secret keys are the fallback option that is pointed out in any 5 min tutorial, but in a Bitbucket Pipelines context, I encourage you to pursue the OIDC way. No more secret managment! Any AWS SDKs will become magically authenticated in presence of a valid `AWS_WEB_IDENTITY_TOKEN_FILE` variable (plus role-arn, region and whatnot). Stay away from applications requiring access+secret keys as the only working credential system. – N1ngu May 12 '22 at 22:19
  • Very well, thanks for the good advice. – Shvalb May 13 '22 at 02:15
0

I had the same issue and I create my own pipe. It may help you.

- step:
    oidc: true
    script:
      #  use the pipe to authenticate on AWS CodeArtifact
      - pipe: rangel-tadeu/aws-codeartifact-deploy:0.0.1
        variables:
          AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
          AWS_OIDC_ROLE_ARN: "arn:aws:iam::123456789012:role/role_name"
          AWS_CODE_ARTIFACT_DOMAIN: $AWS_CODE_ARTIFACT_DOMAIN
          AWS_CODE_ARTIFACT_DOMAIN_OWNER: $AWS_CODE_ARTIFACT_DOMAIN_OWNER
    artifacts:
      - set_env.sh

- step:
    name: any-other-step
    script:
      - source set_env.sh
      ...

The set_env.sh will set the $CODEARTIFACT_AUTH_TOKEN you need in another step to run your deploy script.

Pipe repository: https://bitbucket.org/rangel-tadeu/aws-codeartifact-deploy/src/master/

Tadeu Rangel
  • 11
  • 2