Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket Pipelines Variables and OIDC seem to not work together

Alin Turbut
Alin Turbut March 5, 2025

I am having an issue where if I use variables on a step that is also using oidc: true, the OIDC part is not available.

I am getting the following error: 

An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: No OpenIDConnect provider found in your account for https://api.bitbucket.org/2.0/workspaces/WORKSPACE/pipelines-config/identity/oidc

Any known fix for this?
Answer
Watch
Like Be the first to like this
198 views

2 answers

1 accepted

0 votes
Answer accepted
Alin Turbut
Alin Turbut March 10, 2025

Found out the real issue.

Basically one of my variables was AWS_PROFILE and even though it was the correct one, I think it has somes conflicts with awscli in the idea that it is misconfiguring for the OpenID Connect.

Reply
0 votes
Phil C
Phil C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 6, 2025

Hi Alin,

Welcome to the community!

The "InvalidIdentityToken" error occurs when there is a mismatch in the audience claim within the identity token used during deployment. The audience claim indicates who the token is intended for and must correspond with the client ID issued by your application's identity provider. If the audience claim in the identity token does not match the expected client ID for the IAM role in AWS, the AssumeRoleWithWebIdentity operation will fail, generating an "Incorrect token audience" error message.

The following steps should help address the issue,

  1. Check the audience displayed as the identity provider in OpenID Connect on Bitbucket.
  2. Verify that the audience value matches your app's client ID from the identity provider.
  3. If the audience value is incorrect, update it by copying the correct OpenID Connect value from Bitbucket into the audience field.

Reference - Troubleshooting pipeline build failing with "An error occurred (InvalidIdentityToken) when calling the AssumeRoleWithWebIdentity operation: Incorrect token audience"

I hope this helps.

- Phil

View More Comments
Alin Turbut
Alin Turbut March 10, 2025

Phil,

Thanks a lot for getting back.

Wouldn't this also reproduce for the same pipeline (same code) but without using variables? Which is not the case, I can definitely run the pipeline without variables.

In any case, I have double checked the audience and everything seems correct. Again, I can run the pipeline, but without variables and "hard-coding" the values from the variables.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.