AWS stands as the cornerstone of modern digital infrastructure, offering unparalleled scalability, flexibility, and innovation to businesses across the globe. Today, it’s hard to imagine achieving custom software development services with this level of scalability, flexibility, and innovation without CI/CD. Automating all deployment processes helps us do that faster and avoid costly human errors.
Before you start
Let’s define the scope of tools mentioned in the blog post. First of all, we should enter Atlassian’s Bitbucket: a potent GIT DevOps solution that streamlines deployment workflows and bolsters security measures being focused on professional development teams. However, in this particular case, we will be interested more in Bitbucket Pipeline (AWS).
Bitbucket Pipelines is a continuous integration and continuous delivery (CI/CD) solution provided by the Bitbucket platform. It allows developers to automate their code’s build, test, and deployment processes directly with the Bitbucket repository. With Bitbucket CI/CD AWS integration, you can seamlessly deploy your infrastructure and applications to the AWS cloud. Bitbucket pipelines for AWS integration streamline the deployment process, making it efficient and reliable.
Another thing that will be mentioned in the article is OIDC. OIDC is a secure way for apps to obtain user information from a verification service while ensuring data protection.
OpenID Connect was originally created as an amateur-level OAuth authorization mechanism that allowed users to use a single account for authentication on a variety of Internet resources unrelated to each other. It shares common elements with OAuth, like client_id, client_secret, and redirect_uri, stored in the access control system to safeguard data transfer from users to apps and prevent theft of client_id.
Overview of deploying AWS with Bitbucket
If we want to deploy an application to AWS, Bitbucket allows us to create security credentials (programmatic access keys) and pass them to the deployment pipeline via repository variables. This kind of deployment process is suitable for small projects rather than for well-established ones. However, there are several problems with these keys:
- You should keep them safely;
- You should regularly rotate them;
- You should ensure they didn’t expose accidentally.
In such cases, OpenID Connect (OIDC) comes to our rescue. Although most developers who face the need to deploy to AWS with Bitbucket use the secret access key, OIDC can help us avoid using keys and significantly simplify future deployments.
In this topic, we will provide a simple guide on creating a primary OIDC connection to the AWS account and implementing it in deployment.
Deploying process to AWS with Bitbucket
Deploying your application involves setting up a CI/CD pipeline for Bitbucket. If you don’t have one yet, you should create it; an OIDC connection will be available after that. When setting up a secure deployment process to AWS with OIDC and Bitbucket, it’s essential to establish a well-defined pipeline for deployment. However, creating a new pipeline is a separate issue, like activating the AWS BitBucket pipelines. In this overview, we will focus on the approach to the deployment processes.
Bitbucket OpenID Connect
OpenID Connect is an authentication protocol that allows Bitbucket to delegate the authentication process to an OIDC identity provider, such as Okta, Auth0, or Keycloak.
First of all, you should log in to your Bitbucket account with administrative privileges. Then, in the repository, we should go to Repository settings > OpenID Connect.
On this page, you should pay attention to two options (it’s better to copy the information in any kind of text document because we will need to paste it a bit later): the “identity provider URL” and “audience information.” This particular information is required to create trust between the AWS account and the Bitbucket repository.
OpenID Connections in AWS
With the OIDC data we received previously, we can create a security connection between Bitbucket and your AWS account. In order to do this, we should add the Identity provider to the AWS Identity and Access Management (IAM).
Select OpenID Connect as the type of the connect. Paste the identity provider URL and audience information (the info copied earlier). Perform the verification process by clicking “get thumbprint.” Then, end the process by clicking the “add provider” button.
After creating the provider, assign an IAM role to start using it. Click on the newly created identity provider name, then click the “assign role” button. You can select an existing role or create a new one at this step. For testing purposes, we’ll create a new role named “Bitbucket-OIDC-S3” with AmazonS3FullAccess permissions.
Save the role. Find it and, again, copy your Role ARN, as we will need it in further steps.
Here we go; we are done with all the steps from the AWS side.
Examples of configuring pipeline on the Bitbucket side
Let’s configure our model of the СI/CD pipeline on the AWS Bitbucket side.
Here is a basic example of how to build and make a static site deploy to the S3 bucket by AWS.
Optional: Create a variable OIDC_ROLE_ARN with your ARN, which we saved earlier for your pipeline.
Also, you can just paste it directly to the pipeline variable.
image: atlassian/default-image:2 pipelines: default: - step: name: Build artifact deployment: MyTestDeployment script: - mkdir build - cp index.html build/ artifacts: - build/* - step: name: "Pushing code to S3" oidc: true script: - pipe: atlassian/aws-s3-deploy:1.1.0 variables: AWS_OIDC_ROLE_ARN: $OIDC_ROLE_ARN AWS_DEFAULT_REGION: $AWS_DEFAULT_REGION S3_BUCKET: 'your-bucket-name' DELETE_FLAG: "true" LOCAL_PATH: 'build'
For example, we create a simple HTML page that will give us a typical deployment static site.
Voilà, the pipeline for deployment, as well as deployment, were successful without using any programmatic access secret key or additional passwords.
In this post, we’ve successfully implemented a robust and streamlined DevOps process of deployment to AWS with Bitbucket while leveraging OIDC authentication. This strategic approach ensures that even if your Role ARN is compromised, unauthorized access to your AWS resources remains blocked. Nevertheless, it’s crucial to remain vigilant, as leaked access keys could potentially be exploited from anywhere.
By seamlessly integrating OIDC into your environment and CI/CD pipeline, you not only bolster the security of your AWS deployments but also streamline the entire process. Today, a secure deployment process is just a necessity. As you consider deploying to AWS with Bitbucket, you’re well on your way to securing your deployments and ensuring the safety of your AWS resources.
Let’s talk about your project
Drop us a line! We would love to hear from you.