Google Cloud Workload Identity for Bitbucket

This Terraform module creates a Workload Identity Pool and Provider for Bitbucket.

Service account keys are a security risk if compromised. Avoid service account keys and instead use the Workload Identity Federation. For more information about Workload Identity Federation and how to best authenticate service accounts on Google Cloud, please see my GitHub repo Cyclenerd/google-workload-identity-federation.

There are also ready-to-use Terraform modules for GitHub and GitLab.

Example

Create Workload Identity Pool and Provider:

# Create Workload Identity Pool Provider for Bitbucket
module "bitbucket-wif" {
  source            = "Cyclenerd/wif-bitbucket/google"
  version           = "~> 2.0.0"
  project_id        = "your-project-id"
  issuer_uri        = "your-bitbucket-identity-provider-url"
  allowed_audiences = ["your-bitbucket-identity-provider-audience"]
}

# Get the Workload Identity Pool Provider resource name for Bitbucket pipeline configuration
output "bitbucket-workload-identity-provider" {
  description = "The Workload Identity Provider resource name"
  value       = module.bitbucket-wif.provider_name
}

If you do not yet know the required values, navigate to the Bitbucket repsoitory settings and click the menu item "OpenID Connect".

Here you will find the OIDC information:

• Identity provider URL: issuer_uri
• Audience: allowed_audiences
• Repository UUID: repository

An example of a working Bitbucket pipeline configuration (bitbucket-pipelines.yml) can be found on Bitbucket.

Allow service account to login via Workload Identity Provider and limit login only from the Bitbucket repository (UUID):

# Get existing service account for Bitbucket pipeline
data "google_service_account" "bitbucket" {
  project    = "your-project-uuid"
  account_id = "existing-account-for-bitbucket-pipeline"
}

# Allow service account to login via WIF and only from Bitbucket repository (UUID)
module "bitbucket-service-account" {
  source     = "Cyclenerd/wif-service-account/google"
  version    = "~> 1.0.0"
  project_id = "your-project-id"
  pool_name  = module.bitbucket-wif.pool_name
  account_id = data.google_service_account.bitbucket.account_id
  repository = "your-bitbucket-repository-uuid"
}

Terraform module Cyclenerd/wif-service-account/google is used.

👉 More examples

OIDC Token Attribute Mapping

The attributes attribute.sub and attribute.repository are used in the Terrform module Cyclenerd/wif-service-account/google. Please do not remove these attributes.

Default attribute mapping:

Attribute	Claim	Description
google.subject	assertion.sub	Subject
attribute.sub	assertion.sub	Defines the subject claim that is to be validated by the cloud provider. This setting is essential for making sure that access tokens are only allocated in a predictable way.
attribute.repository	assertion.repositoryUuid	The repository (UUID) from where the workflow is running
attribute.aud	assertion.aud	Intended audience for the token
attribute.iss	assertion.iss	Issuer of the token
attribute.step_uuid	assertion.stepUuid	Step UUID
attribute.branch_name	assertion.branchName	Branch name
attribute.pipeline_uuid	assertion.pipelineUuid	Pipeline UUID
attribute.workspace_uuid	assertion.workspaceUuid	Workspace UUID

Providers

Name	Version
google	>= 4.61.0

Inputs

Name	Description	Type	Default	Required
allowed_audiences	Bitbucket identity provider allowed audiences	list(string)	n/a	yes
attribute_condition	(Optional) Workload Identity Pool Provider attribute condition expression	string	null	no
attribute_mapping	Workload Identity Pool Provider attribute mapping	map(string)	{ "attribute.aud": "attribute.aud", "attribute.branch_name": "assertion.branchName", "attribute.iss": "attribute.iss", "attribute.pipeline_uuid": "assertion.pipelineUuid", "attribute.repository": "assertion.repositoryUuid", "attribute.step_uuid": "assertion.stepUuid", "attribute.sub": "attribute.sub", "attribute.workspace_uuid": "assertion.workspaceUuid", "google.subject": "assertion.sub" }	no
issuer_uri	Bitbucket identity provider URL	string	n/a	yes
pool_description	Workload Identity Pool description	string	"Workload Identity Pool for Bitbucket (Terraform managed)"	no
pool_disabled	Workload Identity Pool disabled	bool	false	no
pool_display_name	Workload Identity Pool display name	string	"bitbucket.org"	no
pool_id	Workload Identity Pool ID	string	"bitbucket-org"	no
project_id	The ID of the project	string	n/a	yes
provider_description	Workload Identity Pool Provider description	string	"Workload Identity Pool Provider for Bitbucket (Terraform managed)"	no
provider_disabled	Workload Identity Pool Provider disabled	bool	false	no
provider_display_name	Workload Identity Pool Provider display name	string	"bitbucket.org OIDC"	no
provider_id	Workload Identity Pool Provider ID	string	"bitbucket-org-oidc"	no

Outputs

Name	Description
pool_id	Identifier for the pool
pool_name	The resource name for the pool
pool_state	State of the pool
provider_id	Identifier for the provider
provider_name	The resource name of the provider
provider_state	State of the provider

License

All files in this repository are under the Apache License, Version 2.0 unless noted otherwise.

Based on Terraform module for workload identity federation on GCP by Michael S.