从Bitbucket管道运行授权CodeArtifact令牌

发布于 2025-01-27 09:55:00 字数 299 浏览 4 评论 0 原文

我将BitBucket用作源控制服务，我有兴趣开始使用其管道功能来构建和部署我的应用程序。我正在使用AWS CodeArtifact托管我的Java文物。

我遇到的问题是如何从Bitbucket管道中验证AWS CodeArtifact。

如何运行

aws sso login --profile XXXX
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token ....

是最好的做法来解决这个问题？

原文

I'm using Bitbucket as a source control service and I'm interested to start using its pipelines capability to build and deploy my app. I'm using AWS CodeArtifact to host my Java artifacts.

The thing I'm struggle with is how to authenticate AWS CodeArtifact from the Bitbucket pipelines.

How to run

aws sso login --profile XXXX
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token ....

Is there a best practice to deal with this??

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

羁绊已千年 2025-02-03 09:55:00

我认为 codeartifact_auth_token env var的导出非常好。 For the first authentication to AWS, you probably want to take a look into Bitbucket OIDC capabilities:

https://support.atlassian.com/bitbucket-cloud/docs /deploy-on-aws-使用bitbucket-pipelines-openid-connect/

本质上，在您的AWS帐户中设置身份提供商，它将让您的管道仅通过声明来扮演角色

 - step:
     name: My pipeline
     oidc: true
     ...

（还会导出 AWS_ROLE_ARN 某处）

身份，假定的角色可以设置为每个存储库，部署阶段等粒度间隙级别，等

设置OIDC身份提供商可能会很麻烦。您可能有兴趣给予也是一个外观。

I think the exportation of the CODEARTIFACT_AUTH_TOKEN env var is quite fine. For the first authentication to AWS, you probably want to take a look into Bitbucket OIDC capabilities:

Essentially, setting up an identity provider in you AWS account that will let your pipelines assume a role by just declaring

 - step:
     name: My pipeline
     oidc: true
     ...

(also exporting an AWS_ROLE_ARN somewhere)

Identities and the assumed roles can be set up to granular clearance levels per repository, deployment stage, etc

Setting up an OIDC identity provider can be cumbersome. You might be interested in giving https://registry.terraform.io/modules/calidae/bitbucket-oidc/aws/latest a look, even if you weren't using terraform.

回复收藏 0 原文

翻了热茶 2025-02-03 09:55:00

我遇到了同样的问题，我创建了自己的管道。它可能会帮助您。

- step:
    oidc: true
    script:
      #  use the pipe to authenticate on AWS CodeArtifact
      - pipe: rangel-tadeu/aws-codeartifact-deploy:0.0.1
        variables:
          AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
          AWS_OIDC_ROLE_ARN: "arn:aws:iam::123456789012:role/role_name"
          AWS_CODE_ARTIFACT_DOMAIN: $AWS_CODE_ARTIFACT_DOMAIN
          AWS_CODE_ARTIFACT_DOMAIN_OWNER: $AWS_CODE_ARTIFACT_DOMAIN_OWNER
    artifacts:
      - set_env.sh

- step:
    name: any-other-step
    script:
      - source set_env.sh
      ...

set_env.sh将在另一个步骤中设置您需要的$ codeartifact_auth_token来运行部署脚本。

管道存储库：

I had the same issue and I create my own pipe. It may help you.

- step:
    oidc: true
    script:
      #  use the pipe to authenticate on AWS CodeArtifact
      - pipe: rangel-tadeu/aws-codeartifact-deploy:0.0.1
        variables:
          AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION
          AWS_OIDC_ROLE_ARN: "arn:aws:iam::123456789012:role/role_name"
          AWS_CODE_ARTIFACT_DOMAIN: $AWS_CODE_ARTIFACT_DOMAIN
          AWS_CODE_ARTIFACT_DOMAIN_OWNER: $AWS_CODE_ARTIFACT_DOMAIN_OWNER
    artifacts:
      - set_env.sh

- step:
    name: any-other-step
    script:
      - source set_env.sh
      ...

The set_env.sh will set the $CODEARTIFACT_AUTH_TOKEN you need in another step to run your deploy script.

Pipe repository: https://bitbucket.org/rangel-tadeu/aws-codeartifact-deploy/src/master/

回复收藏 0 原文

~没有更多了~