Get authorization CodeArtifact token from Bitbucket Pipelines run

1.4k Views Asked by At

I'm using Bitbucket as a source control service and I'm interested to start using its pipelines capability to build and deploy my app. I'm using AWS CodeArtifact to host my Java artifacts.

The thing I'm struggle with is how to authenticate AWS CodeArtifact from the Bitbucket pipelines.

How to run

aws sso login --profile XXXX
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token ....

Is there a best practice to deal with this??

2

There are 2 best solutions below

3
On BEST ANSWER

I think the exportation of the CODEARTIFACT_AUTH_TOKEN env var is quite fine. For the first authentication to AWS, you probably want to take a look into Bitbucket OIDC capabilities:

Essentially, setting up an identity provider in you AWS account that will let your pipelines assume a role by just declaring

 - step:
     name: My pipeline
     oidc: true
     ...

(also exporting an AWS_ROLE_ARN somewhere)

Identities and the assumed roles can be set up to granular clearance levels per repository, deployment stage, etc


Setting up an OIDC identity provider can be cumbersome. You might be interested in giving https://registry.terraform.io/modules/calidae/bitbucket-oidc/aws/latest a look, even if you weren't using terraform.

0
On

I had the same issue and I create my own pipe. It may help you.

- step:
    oidc: true
    script:
      #  use the pipe to authenticate on AWS CodeArtifact
      - pipe: rangel-tadeu/aws-codeartifact-deploy:0.0.1
        variables:
          AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
          AWS_OIDC_ROLE_ARN: "arn:aws:iam::123456789012:role/role_name"
          AWS_CODE_ARTIFACT_DOMAIN: $AWS_CODE_ARTIFACT_DOMAIN
          AWS_CODE_ARTIFACT_DOMAIN_OWNER: $AWS_CODE_ARTIFACT_DOMAIN_OWNER
    artifacts:
      - set_env.sh

- step:
    name: any-other-step
    script:
      - source set_env.sh
      ...

The set_env.sh will set the $CODEARTIFACT_AUTH_TOKEN you need in another step to run your deploy script.

Pipe repository: https://bitbucket.org/rangel-tadeu/aws-codeartifact-deploy/src/master/