Terraform module to configure Bitbucket pipelines with AWS Identity Provider Open ID Connect (ODIC.) This allows Bitbucket pipelines to authenticate against AWS without using any long-lived keys. This module provisions the necessary role and permissions as defined in the Bitbucket docs.
This module allows you to create roles for lists of repos(subjects) and policies in the AWS account. Curently it only supports policies in the same account as the role being created. This is helpful for non-mono repo style groups as well as for large organizations where teams have separate repo ownership for the same AWS account.
The assume_role_names input allows you to assume the OIDC role and act as if you were the Bitbucket pipeline.
This is very useful for debugging while you're getting things setup.
Note: we recommend removing this once your production ready so that all further changes are only applied via the pipeline.
image: amazon/aws-cli
pipelines:
default:
- step:
name: 'test oidc'
oidc: true
script:
- export AWS_REGION=us-west-2
- export AWS_ROLE_ARN=arn:aws:iam::{accountid}:role/bucket-test
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts get-caller-identity --query "Arn" --output textn be up to the max set in the terraform module, defaults to 15 min| Name | Version |
|---|---|
| aws | ~> 4.0 |
| tls | ~> 4.0.3 |
| Name | Version |
|---|---|
| aws | ~> 4.0 |
| tls | ~> 4.0.3 |
| Name | Source | Version |
|---|---|---|
| aws_oidc_bitbucket | ./modules/aws-roles-oidc-bitbucket | n/a |
| Name | Type |
|---|---|
| aws_iam_openid_connect_provider.bitbucket | resource |
| tls_certificate.bitbucket | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aud_value | Bitbucket Aud - ie. ari:cloud:bitbucket::workspace/{Workspace ID} | string |
n/a | yes |
| bitbucket_tls_url | Bitbucket URL to perform TLS verification against. - https://api.bitbucket.org/2.0/workspaces/{WORKSPACE}/pipelines-config/identity/oidc | string |
n/a | yes |
| max_session_duration | Maximum session duration in seconds. - by default assume role will be 15 minutes - when calling from actions you'll need to increase up to the maximum allowed hwere | number |
3600 |
no |
| role_subject-repos_policies | role name to repos and policies mapping. role name as the key and object value for repo subjects ie "{REPOSITORY_UUID}[:{ENVIRONMENT_UUID}]:{STEP_UUID} or " as well as a list of policy arns ie ["Administrator"] and list of roles that can assume the new role for debugging | map(object({ |
n/a | yes |
| Name | Description |
|---|---|
| bitbucket_oidc_provider_arn | oidc provider arn to use for roles/policies |
| bitbucket_oidc_provider_url | oidc provider url to use for roles/policies |
| iam_role_arns | Roles that will be assumed by Bitbucket |