Hi guys,
I'm following this article to make Bitbucket pipelines work with AWS Codeartifact but having troubles with it.
I've
- Created "Identity Provider" with URL & Audience from Bitbucket's OIDC settings.
- Created a AWS role with
AWSCodeArtifactAdminAccess permissions and associated it with the Identity Provider - Defined 2 Bitbucket's repository variables:
AWS_REGION & AWS_ROLE_ARN. - Created
bitbucket-pipelines.yml file that looks like this:
image:
name: XXXXXXXXXX.dkr.ecr.us-east-2.amazonaws.com/bitbucket-docker:1.0.0
aws:
oidc-role: arn:aws:iam::XXXXXXXXXX:role/bitbucket-pipelines
options:
max-time: 30 # per-step timeout in minutes
pipelines:
branches:
develop:
- step:
oidc: true
script:
- export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
- echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
- aws sts assume-role-with-web-identity --role-arn arn:aws:iam::XXXXXXXXXX:role/bitbucket-pipelines --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000
- mvn verify deploy -e -DskipTests
When I run the pipelines I can see that I'm able to access the ECR docker image, but getting 401 authentication error when trying to deploy the maven artifacts (jar file).
I'm under the impression that I don't need to call aws codeartifact get-authorization-token since I authenticate via OIDC.
Here is the logs from CloudTrail:
"eventSource": "codeartifact.amazonaws.com",
"eventName": "PublishPackageVersion",
"awsRegion": "us-east-2",
"sourceIPAddress": "35.160.177.10",
"userAgent": "Apache-Maven/3.6.3 (Java 11.0.9; Linux 5.10.101)",
"errorCode": "AccessDenied",
"errorMessage": "Unauthenticated: request did not include an Authorization header. Please provide your credentials.",
Any idea what am I missing here?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.