Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

How do I use AWS Lambda Deploy with OIDC to create an alias?

François Collins July 12, 2023 edited

I have a pipeline step that already successfully updates a lambda. However, I just tried the example where we subsequently get the version number and assign an alias to it in the same step. The second pipe call fails with 

Traceback (most recent call last):
File "/pipe.py", line 341, in <module>
pipe.run()
File "/pipe.py", line 304, in run
self.check_lamda_state_and_status()
File "/pipe.py", line 257, in check_lamda_state_and_status
response = self.client.get_function(
File "/usr/local/lib/python3.10/site-packages/botocore/client.py", line 530, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.10/site-packages/botocore/client.py", line 943, in _make_api_call
http, parsed_response = self._make_request(
File "/usr/local/lib/python3.10/site-packages/botocore/client.py", line 966, in _make_request
return self._endpoint.make_request(operation_model, request_dict)
File "/usr/local/lib/python3.10/site-packages/botocore/endpoint.py", line 119, in make_request
return self._send_request(request_dict, operation_model)
File "/usr/local/lib/python3.10/site-packages/botocore/endpoint.py", line 198, in _send_request
request = self.create_request(request_dict, operation_model)
File "/usr/local/lib/python3.10/site-packages/botocore/endpoint.py", line 134, in create_request
self._event_emitter.emit(
File "/usr/local/lib/python3.10/site-packages/botocore/hooks.py", line 412, in emit
return self._emitter.emit(aliased_event_name, **kwargs)
File "/usr/local/lib/python3.10/site-packages/botocore/hooks.py", line 256, in emit
return self._emit(event_name, kwargs)
File "/usr/local/lib/python3.10/site-packages/botocore/hooks.py", line 239, in _emit
response = handler(**kwargs)
File "/usr/local/lib/python3.10/site-packages/botocore/signers.py", line 105, in handler
return self.sign(operation_name, request)
File "/usr/local/lib/python3.10/site-packages/botocore/signers.py", line 189, in sign
auth.add_auth(request)
File "/usr/local/lib/python3.10/site-packages/botocore/auth.py", line 418, in add_auth
raise NoCredentialsError()
botocore.exceptions.NoCredentialsError: Unable to locate credentials

I notice that even though I specified an OIDC role in the second call as well, the variable dump does not contain --env=AWS_OIDC_ROLE_ARN="${OIDC_LAMBDA_ROLE}", only for the first one.

I am using atlassian/aws-lambda-deploy:1.8.2.

 

- step: &deploy-lambda
        name: Deploy Lambda to AWS
        image: atlassian/default-image:4
        oidc: true
        script:
          - source lambda.sh
          - export LOWER_NAME=$(echo "${FN_NAME}" | tr '[:upper:]' '[:lower:]')
          - |
            export LAMBDA_ALIAS='dev'
            if [[ "$BITBUCKET_BRANCH" == release* ]]; then
              export LAMBDA_ALIAS='QA'
            elif [[ "$BITBUCKET_BRANCH" = "master" ]]; then
              export LAMBDA_ALIAS='prod'
            fi
          - pipe: atlassian/aws-lambda-deploy:1.8.2
            variables:
              AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
              AWS_OIDC_ROLE_ARN: '${OIDC_LAMBDA_ROLE}'
              FUNCTION_NAME: 'nonprod-hcms-${LOWER_NAME}-workflow-processor'
              COMMAND: 'update'
              ZIP_FILE: 'HCMS.Lambda.${FN_NAME}Workflow.zip'
              WAIT: 'true'
              #DEBUG: 'true'
         
          # Read results from the update pipe into environment variables
          - BITBUCKET_PIPE_SHARED_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes"
          - VERSION=$(jq  --raw-output '.Version' $BITBUCKET_PIPE_SHARED_STORAGE_DIR/aws-lambda-deploy-env)
         
          # Point an alias to the new lambda version
          - pipe: atlassian/aws-lambda-deploy:1.8.2
            variables:
              AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
              AWS_OIDC_ROLE_ARN: '${OIDC_LAMBDA_ROLE}'
              FUNCTION_NAME: 'nonprod-hcms-${LOWER_NAME}-workflow-processor'
              COMMAND: 'alias'
              ALIAS: '${LAMBDA_ALIAS}'
              VERSION: '${VERSION}'
          # Must delete temp dir otherwise subsequent pipe will crash
          - rm -rf  $BITBUCKET_PIPE_SHARED_STORAGE_DIR

 

2 answers

1 accepted

0 votes
Answer accepted
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 29, 2023 edited

@François Collins hi. I could not reproduce your issue.
Used the next setup according to your case:

image: atlassian/default-image:4

test: &test
  step:
    oidc: true
    script:
      # Update lambda code and publish a new version
      - pipe: atlassian/aws-lambda-deploy:1.10.0
        variables:
          AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN
          AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
          FUNCTION_NAME: 'pipe-test'
          COMMAND: 'update'
          ZIP_FILE: 'lambda.zip'
          WAIT: 'true'

      - BITBUCKET_PIPE_SHARED_STORAGE_DIR="/opt/atlassian/pipelines/agent/build/.bitbucket/pipelines/generated/pipeline/pipes"
      - VERSION=$(jq  --raw-output '.Version' $BITBUCKET_PIPE_SHARED_STORAGE_DIR/aws-lambda-deploy-env)

      # Point an alias to the new lambda version
      - pipe: atlassian/aws-lambda-deploy:1.10.0
        variables:
          AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN
          AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
          FUNCTION_NAME: 'pipe-test'
          COMMAND: 'alias'
          ALIAS: 'production'
          VERSION: '${VERSION}'
          DEBUG: 'true'


pipelines:
  default:
  - <<: *test
  branches:
    master:
    - <<: *test

And pipe was finished successfully.

Screenshot 2023-09-29 at 16.56.01.png

$AWS_OIDC_ROLE_ARN i setup as a repository variable.



Regards, Igor

François Collins September 29, 2023

Indeed, I tried again with 1.10.0 instead of 1.8.2 and it passed.

Like Igor Stoyanov likes this
0 votes
Igor Stoyanov
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 13, 2023

@François Collins . Thanks for your question. We will investigate your case.

Regards, Igor.

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
atlassian, jira cloud certification, managing jira projects, jira project administration, jira cloud exam, atlassian certification, agile project management, jira workflows, jira permissions, jira training, jira cloud skills, atlassian learning

Become a Certified Jira Service Project Expert 🦸🏻‍♂️

Validate your expertise in managing Jira Service Projects for Cloud. Master configuration, optimize workflows, and manage users seamlessly. Earn global 🗺️ recognition and advance your career as a trusted Jira Service management expert.

Get Certified! ✍️
AUG Leaders

Atlassian Community Events