OIDC authentication issues troubleshooting

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Cloud - This article applies to Atlassian products on the cloud platform.

   

Summary

Sometimes, users might see an assortment of issues related to OIDC. 

Environment

Bitbucket Pipelines

Diagnosis

When running builds in Pipelines, and trying to authenticate to either AWS, Azure or GCP with OIDC, users might see authentication errors such as the ones below:

An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity

Common cause 1: OIDC is not enabled for your build

When using OIDC in a Bitbucket Pipelines step, you need to explicitly provide your bitbucket-pipelines.yml file with the OIDC:true flag. If OIDC is not enabled for the step that requires it, the build will never succeed in authenticating with OIDC.

Please check the following document for more information on this feature: Integrate Pipelines with resource servers using OIDC

Solution

Enable OIDC for your step by using the OIDC:true flag on your bitbucket-pipelines.yml file, like so:

pipelines:
  default:
    - step:
        oidc: true
        script:
          [...]

Common cause 2: AWS specific - environment variables

When using OIDC with Pipelines, some specific variables need to be properly configured to connect against AWS.

AWS_REGION
AWS_ROLE_ARN
AWS_WEB_IDENTITY_ROLE_FILE

If those steps aren't configured prior to the OIDC authentication attempt, the attempt will fail.

Solution

Make sure that the environment variables mentioned above are set before using OIDC for authentication to AWS.

You can create those variables in multiple ways:

  1. Check your environment variables: On Bitbucket Cloud, check all possible paths where a variable can set up and confirm if these variables are set: 
    • Repository variables:
      • Navigate to the repository settings;
      • Select Repository variables;
      • Check if the variables are present. If not create them with their appropriate value.
    • Deployment variables ((info) Important: These variables will only be available on a deployment step):
      • Navigate to the repository settings;
      • Select Deployments;
      • Check if the variables are present in any of the deployment environments.
    • Workspace variables:
      • Navigate to the workspace settings;
      • Select Workspace Variables;
      • Check if the variables are present. If not create them with their appropriate value.

       2. Set the variable during the build execution:

 You can also set values to the variables during the build execution, by using commands like the following:

  • Set command:

    - SET AWS_REGION

  • Export command:

    - EXPORT AWS_REGION

Common cause 3: Incorrect role setup

When using OIDC, it's necessary for the service that Pipelines needs to authenticate to have the proper role setup.

For example, if you need to connect to AWS to use S3 for read and write purposes, you would need to set up a role on AWS' side as per AWS' documentation: Amazon S3: Allows read and write access to objects in an S3 Bucket

Solution

If you are receiving access denied when connecting to a supported third-party service via OIDC, please make sure that the role setup is properly configured on the target service.


Last modified on Jan 2, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.