Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions
Community
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions
Forums
Home Q&A Discussion groups Articles Ask a question Search
Learning Events Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Configuring self-hosted runners on AWS EKS with Pod Identity Agent auth mecanism [2025]

Alejandro Nieto
Alejandro Nieto
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 19, 2025

Hi there,

Expected result: for pipelines to assume the pod identity associated IAM role and access AWS authenticated resources to be able to publish a docker image to an ECR repository for example.

I'm configuring self-hosted bitbucket runners on AWS EKS with autoscaling using the following guide: 

https://support.atlassian.com/bitbucket-cloud/docs/autoscaler-for-runners-on-kubernetes/ 


The following pods were created successfully:

  • runner-<uuid>
  • runner-controller-<uuid>
  • runner-controller-cleaner-<uuid>

I was able to configure a Kubernetes Service Account and create its corresponding pod identity association with an IAM role that has the corresponding policies for the runners to execute pipelines accessing other AWS resources. 

For example: permissions to publish an image to an ECR repository.

 

The pod runner-<uuid> has two container instances running:

  1. runner: the actual runner instance.
  2. docker: the docker in docker-based image that helps create container instances on the fly for the runner (like a sidecar).

I can confirm that the service account credentials are present in both containers. e.g. /var/run/secrets/pods.eks.amazonaws.com/serviceaccount/eks-pod-identity-token is there and has the token. 

Runners are correctly registered to the bitbucket account, and pipelines are triggering as expected.

The main issue is that the pipelines cannot access the Pod Identity authentication since the docker instance running the pipeline is created on the fly using the docker did sidecar.

That there's no mecanism to mount and not pass along this pod identity token so that the docker instance generated on the spot to run the pipeline gets access to the eks pod identity token from the runner or the docker instance.

Namely, there's no docker_in_docker_args env var (horrible idea, btw) that I can set up in the values.yaml.

Answer
Watch
Like Be the first to like this
749 views

1 answer

0 votes
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 24, 2025

Hi Alejandro and welcome to the community!

My team tested this in EKS (but without the autoscaler) and Pipelines assumes the pod identity associated IAM role, but the setting IMDSv2 for the EKS Node needs to be set to 'required' instead of 'optional'. It will not work with IMDSv2 set to 'optional'. Can you please check the value of this setting? If this doesn't work with IMDSv2 set to 'required', please let me know and I can create a support ticket on your behalf for further investigation.

As a workaround, it is possible to use OIDC so that Pipelines can access AWS without storing credentials. You can check the following documentation:

The following page has a sample bitbucket-pipelines.yml file on how to configure build to assume the created role:

Kind regards,
Theodora

View More Comments
Mert Durukan
Mert Durukan September 2, 2025

Hi Theodora,

 

Unfortunately I have the exact same problem. I've followed your suggestion and enabled IMDSv2 on my node groups such as:

 

metadata_options = {
  http_endpoint = "enabled"
  http_tokens = "required" 
  http_put_response_hop_limit = 2
  instance_metadata_tags = "disabled"
}

 

whenever my bitbucket runner controller picks up a new job, it spins up a DinD container within the runner pod, which still can't use pod-identity token as the environment variable or any other form (always defaults back to environment credentials).

I have even tried to modify the ConfigMap manifest provided with the bitbucket-runners project to mount the volume to my DinD container as:

 

- name: eks-pod-identity-token
  mountPath: /var/run/secrets/pods.eks.amazonaws.com/serviceaccount


# Pass Pod Identity credentials as environment variables
- name: AWS_CONTAINER_CREDENTIALS_FULL_URI
  value: "http://169.254.170.23/v1/credentials"
- name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
  value: "/var/run/secrets/pods.eks.amazonaws.com/serviceaccount/token"

So far nothing is successfully any my pipelines/self-hosted runners can't use pod-identity to authenticate against AWS Services:

 aws sts get-caller-identity

Unable to locate credentials. You can configure credentials by running "aws configure".

Any ideas here? I can't find any official guide or a good example/guide on how to use AWS Pod-Identity with self-hosted Bitbucket runners and support is completely unresponsive.

 

Thanks,

 

Mert

Like
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 5, 2025

Hi Mert,

We need a support ticket to investigate this further, so I suggest creating one and one of my colleagues will look into it. You mentioned that support is completely unresponsive, however, I don't see a support ticket raised from your account. Has your team already opened a ticket, and if so, can you share the ticket number?

If you haven't done so already, you can create a ticket via https://support.atlassian.com/contact/#/, in "What can we help you with?" select "Technical issues and bugs" and then Bitbucket Cloud. When you are asked to provide the workspace URL, please make sure you enter the URL of the workspace that is on a paid billing plan to proceed with ticket creation. Please feel free to let me know if you have any questions.

Kind regards,
Theodora

Like
Mert Durukan
Mert Durukan September 8, 2025

Hi Theodora,

 

I haven't opened a ticket before as the support link you suggested only lets me to talk with AI agent, and this Agent already confirmed that Pod-Identity doesn't work with Self-hosted runners in EKS and there is no solution for this.

 

Shall i still open a ticket for a known issue just to raise awareness? or what are my alternatives here? 

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin Site Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security