[bitbucket] pipeline & oidc

image: amazon/aws-cli

pipelines:
  default:
    - step:
        oidc: true
        script:
          - export AWS_REGION=us-west-2
          - export AWS_ROLE_ARN=arn:aws:iam::XXXXXXXXXXXX:role/oidc-demo
          - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
          - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
          - aws s3 cp s3://bucket/XXXXXX ./XXXXXXX

{
  "Effect": "Allow",
  "Principal": {
    "Federated": "arn:aws:iam::{AWS_ACCOUNT_NUMBER}:oidc-provider/api.bitbucket.org/2.0/workspaces/{WORKSPACE}/pipelines-config/identity/oidc"
  },
  "Action": "sts:AssumeRoleWithWebIdentity",
  "Condition": {
    "StringLike": {
      "api.bitbucket.org/2.0/workspaces/{WORKSPACE}/pipelines-config/identity/oidc:sub": "{REPO_UUID}:*"
    }
  }
}

{
  "Effect": "Allow",
  "Principal": {
    "Federated": "arn:aws:iam::{AWS_ACCOUNT_NUMBER}:oidc-provider/api.bitbucket.org/2.0/workspaces/{WORKSPACE}/pipelines-config/identity/oidc"
  },
  "Action": "sts:AssumeRoleWithWebIdentity",
  "Condition": {
    "StringLike": {
      "api.bitbucket.org/2.0/workspaces/{WORKSPACE}/pipelines-config/identity/oidc:sub": "{REPO_UUID}:*"
    },
    "IpAddress": {
      "aws:SourceIp": [
        "34.199.54.113/32",
        "34.232.25.90/32",
        "34.232.119.183/32",
        "34.236.25.177/32",
        "35.171.175.212/32",
        "52.54.90.98/32",
        "52.202.195.162/32",
        "52.203.14.55/32",
        "52.204.96.37/32",
        "34.218.156.209/32",
        "34.218.168.212/32",
        "52.41.219.63/32",
        "35.155.178.254/32",
        "35.160.177.10/32",
        "34.216.18.129/32"
      ]
    }
  }
}​

https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/

Deploy on AWS using Bitbucket Pipelines OpenID Connect | Bitbucket Cloud | Atlassian Support