#gcp (2022-05)

Google Cloud Platform

2022-05-20

contact871 avatar
contact871

Hi, anyone configured Bitbucket Pipeline to access CGP via OIDC?

Currently I have:

`
image: atlassian/default-image:3

pipelines:
  default:
  - parallel:
    - step: &docker-build-push
      name: Build and push images to GCR
      oidc: true
      image: google/cloud-sdk:alpine
      script:
      - echo "${BITBUCKET_STEP_OIDC_TOKEN}" > /tmp/credential-source-file.out
      - gcloud iam workload-identity-pools create-cred-config projects/${PROJECT_ID}/locations/global/workloadIdentityPools/bitbucket-pipelines/providers/bitbucket-pipelines --service-account="[email protected]${PROJECT_ID}.iam.gserviceaccount.com" --output-file=/tmp/FILEPATH.json --credential-source-file=/tmp/credential-source-file.out --credential-source-type=text
      - gcloud auth login --cred-file=/tmp/FILEPATH.json
      - CLOUDSDK_CORE_DISABLE_PROMPTS=1 gcloud components install alpha
      - gcloud --project ${PROJECT_ID} alpha storage ls

But I get an error:

google.auth.exceptions.OAuthError: ('Error code invalid_target: The target service indicated by the "audience" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn\'t exist.', '{"error":"invalid_target","error_description":"The target service indicated by the \\"audience\\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn\'t exist."}')
contact871 avatar
contact871

I ended up with:

image: atlassian/default-image:3

pipelines:
  default:
    - parallel:
        - step: &docker-build-push
            name: Build and push images to GCR
            oidc: true
            image: google/cloud-sdk:alpine
            script:
              - export GCP_PROJECT_NUMBER=12345678901
              - export PROJECT_NAME=my-project-name

              - export workload_identity_pool_id='bitbucket-pipelines-oidc-demo'
              - export workload_identity_pool_provider_id='update-oidc bitbucket-oidc-idp'
              - export SERVICE_ACCOUNT_EMAIL="[email protected]${PROJECT_NAME}.iam.gserviceaccount.com"

              - echo -n "${BITBUCKET_STEP_OIDC_TOKEN}" > /tmp/gcp_access_token.out

              - gcloud iam workload-identity-pools create-cred-config "projects/${GCP_PROJECT_NUMBER}/locations/global/workloadIdentityPools/${workload_identity_pool_id}/providers/${workload_identity_pool_provider_id}" --credential-source-file=/tmp/gcp_access_token.out --service-account="${SERVICE_ACCOUNT_EMAIL}" --output-file=sts-creds.json

              - export GOOGLE_APPLICATION_CREDENTIALS=`pwd`/sts-creds.json
              - gcloud auth login --cred-file=`pwd`/sts-creds.json
              - gcloud info
              - CLOUDSDK_CORE_DISABLE_PROMPTS=1 gcloud components install alpha
              - gcloud --project "${PROJECT_NAME}" alpha storage ls <gs://some-bucket/>

One can find more help here https://community.atlassian.com/t5/Bitbucket-questions/How-set-up-bitbucket-pipeline-using-a-gcp-private-image-via-OIDC/qaq-p/1792393#M82049

Though I found the posted commands a little bit confusing. Here how I used them:

WORKSPACE_NAME='my-workspace'
WORKSPACE_UUID='bebebebe-bebe-bebe-bebe-bebebebebebe'
gcloud beta iam workload-identity-pools providers update-oidc bitbucket-oidc-idp \
  --workload-identity-pool="bitbucket-pipelines-oidc-demo" \
  --issuer-uri="<https://api.bitbucket.org/2.0/workspaces/${WORKSPACE_NAME}/pipelines-config/identity/oidc>" \
  --location="global" \
  --attribute-mapping="google.subject=assertion.sub,attribute.workspace_uuid=assertion.workspaceUuid" \
  --allowed-audiences="ari:cloud:bitbucket::workspace/${WORKSPACE_UUID}"
export GCP_PROJECT_NUMBER='12345678901'
export PROJECT_NAME='my-project-name'
export SERVICE_ACCOUNT_EMAIL="[email protected]${PROJECT_NAME}.iam.gserviceaccount.com"
export WORKSPACE_UUID='bebebebe-bebe-bebe-bebe-bebebebebebe'

gcloud iam service-accounts add-iam-policy-binding "${SERVICE_ACCOUNT_EMAIL}" \
  --role="roles/iam.workloadIdentityUser" \
  --member="<principalSet://iam.googleapis.com/projects//locations/global/workloadIdentityPools/bitbucket-pipelines-oidc-demo/attribute.workspace_uuid/{${WORKSPACE_UUID}}>"
How set up bitbucket pipeline using a gcp private image via OIDC?

Hi, I am new into this, but I am trying to set up a pipeline using a docker image that is on google registry. I am having a some problems doing this and I can’t find a good documentation. Can anyone help me? I already set a google identity federation and a pool on gcp.   pipelines:      default:  …

2022-05-24

    keyboard_arrow_up