Bitbucket Pipelines and OpenID Connect: No more secret management

Bitbucket Pipelines and OIDC connect

Bitbucket Pipelines now allows you to talk to your favorite third-party applications without an access token or secret.

You no longer need to store your secrets in Bitbucket Pipelines. You can generate an OpenID Connect token in Bitbucket Pipelines, and use that to talk to any third-party application that supports OpenID Connect.

Why use OpenID Connect?

Traditionally, you add a secret as a variable and use it in the pipeline step to talk to a third-party or an external resource. Even though secrets are easy to get started with, they have some drawbacks.

Secret management is a huge challenge when your secrets are stored in multiple applications, and secrets can leak into your logs if you have a bad script.

Coarse-grained permissions are also a drawback to using secrets. With OpenID Connect you can give granular access based on the deployment environment, branch name, etc.

How does it work?

Setup

To get started you need to first register Bitbucket Pipelines as an OpenID Connect provider in your third-party application. During the registration process, you will need the following details:

  • Identity provider URL
  • Audience

You can find both of these details on the OpenID Connect settings page in your repository's settings.

After adding the provider, you need to set up the role and permission. Please refer to the third-party application’s documentation to understand the steps for registering, creating roles, and permissions.

Most of the cloud computing platforms support OpenID Connect, and we have documentation for getting you started:

Usage

      - step:
        name: Deploy to production
        deployment: Production
        oidc: true

Enable OpenID Connect token generation for a step by setting the oidc attribute to true. Bitbucket Pipelines will generate a unique token to identify each step. You can then use this token to authenticate with the third-party application. The token is available as an environment variable BITBUCKET_STEP_OIDC_TOKEN.

Bitbucket Pipes with OpenID support

We have upgraded our AWS pipes to use the OpenID Connect token, so you no longer need to provide an access token to use a pipe. You only need to set up Bitbucket Pipelines as an OpenID Connect provider in AWS.

The list of upgraded pipes is as follows:

Enjoy secret-less CI/CD.