I'm using Bitbucket as a source control service and I'm interested to start using its pipelines capability to build and deploy my app. I'm using AWS CodeArtifact to host my Java artifacts.
The thing I'm struggle with is how to authenticate AWS CodeArtifact from the Bitbucket pipelines.
How to run
aws sso login --profile XXXX
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token ....
Is there a best practice to deal with this??
On
I had the same issue and I create my own pipe. It may help you.
- step:
oidc: true
script:
# use the pipe to authenticate on AWS CodeArtifact
- pipe: rangel-tadeu/aws-codeartifact-deploy:0.0.1
variables:
AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
AWS_OIDC_ROLE_ARN: "arn:aws:iam::123456789012:role/role_name"
AWS_CODE_ARTIFACT_DOMAIN: $AWS_CODE_ARTIFACT_DOMAIN
AWS_CODE_ARTIFACT_DOMAIN_OWNER: $AWS_CODE_ARTIFACT_DOMAIN_OWNER
artifacts:
- set_env.sh
- step:
name: any-other-step
script:
- source set_env.sh
...
The set_env.sh will set the $CODEARTIFACT_AUTH_TOKEN you need in another step to run your deploy script.
Pipe repository: https://bitbucket.org/rangel-tadeu/aws-codeartifact-deploy/src/master/
I think the exportation of the
CODEARTIFACT_AUTH_TOKENenv var is quite fine. For the first authentication to AWS, you probably want to take a look into Bitbucket OIDC capabilities:Essentially, setting up an identity provider in you AWS account that will let your pipelines assume a role by just declaring
(also exporting an
AWS_ROLE_ARNsomewhere)Identities and the assumed roles can be set up to granular clearance levels per repository, deployment stage, etc
Setting up an OIDC identity provider can be cumbersome. You might be interested in giving https://registry.terraform.io/modules/calidae/bitbucket-oidc/aws/latest a look, even if you weren't using terraform.