Hi Any bitbucket cloud users ? How do u manage AWS Multi Account Pipeline deployments ?
I want to avoid adding AWS Keys per repo but we only have 1 workspace in Bitbucket Cloud and I don’t think it will be secure to add AWS Keys which can assume role into other AWS Accounts accessible to all the projects and repo under the workspace umbrella .
I’m not on bbcloud, but I’m using GH Secrets environments, GH Actions, Terraform, and HashiCorp Vault for all the secrets and short term aws creds for the pipelines. https://www.vaultproject.io/docs/secrets/aws
The AWS secrets engine for Vault generates access keys dynamically based on IAM policies.
Integrate it with Terraform cloud, add keys there, and only give access to specific people
you can control based on branch or folder, which workspace to call in Terraform Cloud
We just got rid of Terraform Cloud because it was going to cost 13K Usd per year to run
Atlassian has just launched Bitbucket runners, I’m going to try and build ecs containers with Iam role and run pipelines on it with Terraform assume_rolr arns
yes good alternative also
I used the bitbucket open ID connect to configure multiple accounts https://mukeshsharma.dev/2021/09/07/config-bitbucket-cloud-pipelines-aws-openid-connect.html
BitbucketPipelines provide an easy and integrated way to run CI/CD Pipelines for your projects hosted in the Bitbucket code repositories using a straightforward YAML DSL to CI/CD your applications and other cloud resources to production, however using static AWS IAM keys as secured variables at the individual code repository level or as Bitbucket workspace variables with AWS STS permissions to jump into other AWS accounts can become challenging when operating at a large scale with multiple AWS accounts. Static IAM Keys also introduces the risk of secrets sprawling into other applications and may leak into logs in plain text when using a bad script and there always remain the endless toil of manually rotating and replacing the keys in your CI/CD tool of choice.
@msharma24 , with what did you replace TFCloud? We are choosing a platform right now.
Bitbucket Cloud Pipelines
looks like a nice enhancement… https://github.blog/changelog/2021-08-25-github-actions-reduce-duplication-with-action-composition/