当前位置: 文江博客 话题详情

使用Atlassian Bitbucket和AWS使用OIDC的错误

发布于 2025-02-01 19:06:39 字数 1797 浏览 4 评论 0 原文

我正在尝试将OIDC扮演角色和Web身份。我遵循了

如帖子的结尾所述,oidc在我使用时可以使用Atlassian Pipes,但它不适用于导出和AWS CLI选项。

  default:
    - step:
        name: Connect to AWS using OIDC
        oidc: true
        script:
          - export AWS_REGION=$AWS_REGION
          - export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
          - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
          - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
          - printenv BITBUCKET_STEP_OIDC_TOKEN
          - printenv AWS_REGION
          - printenv AWS_ROLE_ARN
          - aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000

printenv输出:

printenv AWS_REGION
us-east-2

printenv AWS_ROLE_ARN
arn:aws:iam::1234567890:role/MyRole

printenv BITBUCKET_STEP_OIDC_TOKEN
<nothing here>

错误:

An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity

但是,当我使用管道时,一切正常

  - pipe: atlassian/aws-s3-deploy:1.1.0
    variables:
      AWS_DEFAULT_REGION: $AWS_REGION # Optional if already defined in the context or OIDC used.
      AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN # Optional by default. Required for OpenID Connect (OIDC) authentication.
      S3_BUCKET: mygreat-bucket
      LOCAL_PATH: 'build'
      CACHE_CONTROL: 'max-age=86400'
原文

I am trying to use OIDC with a role and a web identity on aws. I followed the steps from https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/

As noted at the end of the post, the OIDC works when I use atlassian pipes but it does not work with the export and aws cli options.

  default:
    - step:
        name: Connect to AWS using OIDC
        oidc: true
        script:
          - export AWS_REGION=$AWS_REGION
          - export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
          - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
          - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
          - printenv BITBUCKET_STEP_OIDC_TOKEN
          - printenv AWS_REGION
          - printenv AWS_ROLE_ARN
          - aws sts assume-role-with-web-identity --role-arn arn:aws:iam::1234567890:role/MyRole --role-session-name build-session --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000

PrintEnv Output:

printenv AWS_REGION
us-east-2

printenv AWS_ROLE_ARN
arn:aws:iam::1234567890:role/MyRole

printenv BITBUCKET_STEP_OIDC_TOKEN
<nothing here>

Error:

An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity

However when I use a pipe then everything works fine

  - pipe: atlassian/aws-s3-deploy:1.1.0
    variables:
      AWS_DEFAULT_REGION: $AWS_REGION # Optional if already defined in the context or OIDC used.
      AWS_OIDC_ROLE_ARN: $AWS_OIDC_ROLE_ARN # Optional by default. Required for OpenID Connect (OIDC) authentication.
      S3_BUCKET: mygreat-bucket
      LOCAL_PATH: 'build'
      CACHE_CONTROL: 'max-age=86400'

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

不再让梦枯萎 2025-02-08 19:06:39

我偶然发现了同一件事 - Bitbucket Pipes可以与AWS OIDC一起使用,但脚本却没有。如果您检查特定的管道源代码,您会发现要担任角色的额外步骤几乎需要 - https://bitbucket.org/atlassian/aws-s3-deploy/src/master/pipe/pipe/pipe.sh#lines-35

与OIDC合作的部分,您需要这样做:

default:
- step:
    name: Connect to AWS using OIDC
    oidc: true
    script:
      - export AWS_REGION=$AWS_REGION
      - export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
      - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
      - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
      - aws configure set web_identity_token_file ${AWS_WEB_IDENTITY_TOKEN_FILE}
      - aws configure set role_arn ${AWS_ROLE_ARN}
      - unset AWS_ACCESS_KEY_ID
      - unset AWS_SECRET_ACCESS_KEY
      - printenv BITBUCKET_STEP_OIDC_TOKEN
      - printenv AWS_REGION
      - printenv AWS_ROLE_ARN

I stumbled into the same thing - BitBucket pipes works with AWS OIDC out of the box but scripts does not. If you check particular pipe source code you will find there are few extra steps needed to assume the role - https://bitbucket.org/atlassian/aws-s3-deploy/src/master/pipe/pipe.sh#lines-35

So to make script section working with OIDC you need to have it like this:

default:
- step:
    name: Connect to AWS using OIDC
    oidc: true
    script:
      - export AWS_REGION=$AWS_REGION
      - export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
      - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
      - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
      - aws configure set web_identity_token_file ${AWS_WEB_IDENTITY_TOKEN_FILE}
      - aws configure set role_arn ${AWS_ROLE_ARN}
      - unset AWS_ACCESS_KEY_ID
      - unset AWS_SECRET_ACCESS_KEY
      - printenv BITBUCKET_STEP_OIDC_TOKEN
      - printenv AWS_REGION
      - printenv AWS_ROLE_ARN
回复 原文
浪菊怪哟 2025-02-08 19:06:39

我遇到了类似的情况。我想使用AWS OIDC IAM角色在脚本中运行AWS CLI命令。似乎保持 oidc:true 不足以对AWS进行身份验证。

因此,作为使OIDC在脚本上工作的解决方法,我使用STS假设命令来获得临时凭据,并使用 jq linux工具来解析响应并使用它来配置AWS CLI。

default:
  - step
      name: Configure AWS CLI
      oidc: true
      script:
        - assume_role_response=$(aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789012:role/myRole --role-session-name build-session  --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000)
        - access_key_id=$(echo "$assume_role_response" | jq -r '.Credentials.AccessKeyId')
        - secret_access_key=$(echo "$assume_role_response" | jq -r '.Credentials.SecretAccessKey')
        - session_token=$(echo "$assume_role_response" | jq -r '.Credentials.SessionToken')
        - aws configure set aws_access_key_id "$access_key_id"
        - aws configure set aws_secret_access_key "$secret_access_key"
        - aws configure set aws_session_token "$session_token"
        - aws s3 ls

不知道还有其他更轻松的解决方案,但这对我有用。

I came across a similar situation. I wanted to run aws cli commands inside a script using the AWS OIDC IAM role. Seems keeping oidc:true is not sufficient to authenticate to AWS.

So as a workaround to make OIDC work on the scripts, I used the sts assume-role command to get the temporary credentials and using the jq linux tool to parse the response and use it to configure aws cli.

default:
  - step
      name: Configure AWS CLI
      oidc: true
      script:
        - assume_role_response=$(aws sts assume-role-with-web-identity --role-arn arn:aws:iam::123456789012:role/myRole --role-session-name build-session  --web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" --duration-seconds 1000)
        - access_key_id=$(echo "$assume_role_response" | jq -r '.Credentials.AccessKeyId')
        - secret_access_key=$(echo "$assume_role_response" | jq -r '.Credentials.SecretAccessKey')
        - session_token=$(echo "$assume_role_response" | jq -r '.Credentials.SessionToken')
        - aws configure set aws_access_key_id "$access_key_id"
        - aws configure set aws_secret_access_key "$secret_access_key"
        - aws configure set aws_session_token "$session_token"
        - aws s3 ls

Not sure if there are other easier solutions out there, but this worked for me.

回复 原文
你是我的挚爱i 2025-02-08 19:06:39

如果我理解正确的话,导出这些ENV变量就足够了,您不需要更多的sTs假设 - with-web-nidentity命令。

只是尝试

pipelines:
  default:
    - step:
        name: Test OIDC
        oidc: true
        image: public.ecr.aws/aws-cli/aws-cli
        script:
          - export AWS_DEFAULT_REGION=my-region-0
          - export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
          - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
          - echo $BITBUCKET_STEP_OIDC_TOKEN > $AWS_WEB_IDENTITY_TOKEN_FILE
          - aws sts get-caller-identity

If I understand correctly, exporting those env variables is enough and you shouldn't need further sts assume-role-with-web-identity commands.

Just try

pipelines:
  default:
    - step:
        name: Test OIDC
        oidc: true
        image: public.ecr.aws/aws-cli/aws-cli
        script:
          - export AWS_DEFAULT_REGION=my-region-0
          - export AWS_ROLE_ARN=arn:aws:iam::1234567890:role/MyRole
          - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
          - echo $BITBUCKET_STEP_OIDC_TOKEN > $AWS_WEB_IDENTITY_TOKEN_FILE
          - aws sts get-caller-identity
回复 原文
恏ㄋ傷疤忘ㄋ疼 2025-02-08 19:06:39

我刚刚遇到了这个问题,并通过删除一些我认为正在干扰的旧回购变量来修复: aws_access_key_id aws_secret_access_key

I just came across this issue and fixed it by removing some old repo variables that I believe were interferring: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY

回复 原文
~没有更多了~

关于作者

离去的眼神

暂无简介

文章
评论
496 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

alipaysp_snBf0MSZIv

文章 0 评论 0

梦断已成空

文章 0 评论 0

瞎闹

文章 0 评论 0

凯凯我们等你回来

文章 0 评论 0

寄意

文章 0 评论 0

似梦非梦

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文