Unable to get 'branchName' on AWS via OIDC connection for Bitbucket Pipeline

Question

I am using the bitbucket pipeline and would like to talk to deploy on AWS via bitbucket pipeline. I am using an OIDC connection. I want to put one condition that deployment must be happening only for the "main" branch. In my IAM role I have added the following condition for the branch:

"StringEquals"

{

"api.bitbucket.org/2.0/workspaces/<workspace>/pipelines-config/identity/oidc:branchName": "main"

}

After adding this condition on AWS, the bitbucket pipeline unable to make a connection to AWS.

Any suggestion why this condition is not fulfilled on AWS IAM. Or any secure way to do that.

Answer 1

Unfortunately AWS allows only a set of claims to be used in the trust policy (i.e. aud and sub). The configuration below will allow any repository under the yyyyyyy workspace to assume the bitbucket-oidc role.

Access control policy document (Trust relationship for your IAM Role):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::xxxxxxx:oidc-provider/api.bitbucket.org/2.0/workspaces/yyyyyyy/pipelines-config/identity/oidc"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "api.bitbucket.org/2.0/workspaces/yyyyyyy/pipelines-config/identity/oidc:aud": "ari:cloud:bitbucket::workspace/zzzzzz"
        }
      }
    }
  ]
}

bitbucket-pipelines.yml:

image: amazon/aws-cli

pipelines:
  branches:
    main:
      - step:
          name: Test OpenID Connect provider with AWS 
          oidc: true
          script:
            - export AWS_REGION=eu-central-1
            - export AWS_ROLE_ARN=arn:aws:iam::xxxxxxx:role/bitbucket-oidc
            - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
            - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
            - aws sts get-caller-identity
            - aws s3 ls

Here:

• xxxxxxx : your AWS account number, e.g. 123456789
• yyyyyyy : Bitbucket workspace name, e.g. pavel-maslov
• zzzzzzz : workspace UUID, e.g. aa80e976-01e0-4228-99f6-9d6098e147a4
• bitbucket-oidc: the IAM role Bitbucket pipelines will be assuming

See full documentation here.

---

P.S. You can further restrict your role e.g. to be only assumed by a certain repo in your workspace (but no more than that, so no branch filtering, sorry):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::xxxxxxx:oidc-provider/api.bitbucket.org/2.0/workspaces/yyyyyyy/pipelines-config/identity/oidc"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringLike": {
          "api.bitbucket.org/2.0/workspaces/yyyyyyy/pipelines-config/identity/oidc:sub": "{1a779bcb-1aa4-430e-8f66-128b5fef4183}:*"
        }
      }
    }
  ]
}

Where 1a779bcb-1aa4-430e-8f66-128b5fef4183 is your Repository UUID.