Bitbucket Pipelines and OpenID Connect: No more secret management

March 19, 2021 2 min read
Justin Thomas
Justin Thomas
Bitbucket Pipelines and OIDC connect

Bitbucket Pipelines now allows you to talk to your favorite third-party applications without an access token or secret.

You no longer need to store your secrets in Bitbucket Pipelines. You can generate an OpenID Connect token in Bitbucket Pipelines, and use that to talk to any third-party application that supports OpenID Connect.

Why use OpenID Connect?

Traditionally, you add a secret as a variable and use it in the pipeline step to talk to a third-party or an external resource. Even though secrets are easy to get started with, they have some drawbacks.

Secret management is a huge challenge when your secrets are stored in multiple applications, and secrets can leak into your logs if you have a bad script.

Coarse-grained permissions are also a drawback to using secrets. With OpenID Connect you can give granular access based on the deployment environment, branch name, etc.

How does it work?

Setup

To get started you need to first register Bitbucket Pipelines as an OpenID Connect provider in your third-party application. During the registration process, you will need the following details:

  • Identity provider URL
  • Audience

You can find both of these details on the OpenID Connect settings page in your repository's settings.

After adding the provider, you need to set up the role and permission. Please refer to the third-party application’s documentation to understand the steps for registering, creating roles, and permissions.

Most of the cloud computing platforms support OpenID Connect, and we have documentation for getting you started:

Usage

    - step:
        name: Deploy to production
        deployment: Production
        oidc: true

Enable OpenID Connect token generation for a step by setting the oidc attribute to true. Bitbucket Pipelines will generate a unique token to identify each step. You can then use this token to authenticate with the third-party application. The token is available as an environment variable BITBUCKET_STEP_OIDC_TOKEN.

Bitbucket Pipes with OpenID support

We have upgraded our AWS pipes to use the OpenID Connect token, so you no longer need to provide an access token to use a pipe. You only need to set up Bitbucket Pipelines as an OpenID Connect provider in AWS.

The list of upgraded pipes is as follows:

Enjoy secret-less CI/CD.

Justin Thomas
Justin Thomas

Hiking the Blue Mountains, fishing in the harbor, and a bit of Product Management on the Bitbucket Pipelines team.

Announcing support for Docker BuildKit in Bitbucket Pipelines

We are happy to announce that one of the top voted features for Bitbucket Pipelines, Docker BuildKit is now available. You…
July 04, 2022 2 min read
Jayant Gawali
Jayant Gawali

Automating AWS Lambda deployments using Bitbucket Pipelines and Bitbucket Pipes

Today we’ll talk about Bitbucket Pipes and learn how to use it to automate Lambda deployments on AWS.
June 07, 2019 2 min read
Ayush Sharma
Ayush Sharma

Deploying an Angular app on a Google VM Using Bitbucket Pipelines

Though Angular builds are easy, developers face issues when configuring deployments and setting up CI/CD pipelines. This post outlines the steps required...
April 30, 2019 2 min read
Ash Moosa
Ash Moosa