Contact Us

How to secure AWS CDK deployments with Bitbucket & OIDC

Warren Abundo

Take full control of your AWS deployments without storing credentials. In this guide, you’ll set up Bitbucket as an OpenID Connect (OIDC) provider, create and link secure IAM roles in AWS, and configure your bitbucket-pipelines.yml to deploy AWS CDK projects using temporary, short-lived tokens which gives you a safer, smarter way to automate infrastructure deployments.

Table of Contents

Introduction

We’ve come a long way in modernising how we deploy applications through CI/CD pipelines. In the early days, deployments involved manually transferring files to production servers using FTP then SFTP. Eventually, automation entered the scene with tools like Jenkins, GitHub Actions, GitLab CI, Bitbucket Pipelines, Azure DevOps, and AWS CodePipeline which made the process faster and more reliable.

 

Why traditional CI/CD authentication falls short and how OIDC solves it

But even with these CI/CD tools, one persistent issue remained: authentication to cloud providers, particularly in AWS. The traditional approach involves using long-lived AWS access keys, usually associated with an IAM User. These keys would be stored in the CI/CD environment and granted permissions to deploy resources.

However, this method introduces serious security risks:

    • Access keys may never be rotated

    • They can be leaked if stored in plaintext and sometimes in the source code

    • They lack fine-grained control over session duration or scope

 

How OIDC works in practice

OpenID Connect (OIDC) is a modern authentication protocol built on top of OAuth 2.0. While OAuth is designed for delegated access to resources, OIDC adds an identity layer that allows systems to verify who is making the request.

In the context of CI/CD, this means:

    • Your pipeline (e.g., Bitbucket Pipelines) doesn’t need to store AWS credentials.

    • Instead, it authenticates with an OIDC-compliant Identity Provider (IdP), in this case, Bitbucket.

    • Bitbucket issues a signed identity token (ID token).

    • This token is sent to AWS Security Token Service (STS).

    • AWS verifies the token and issues temporary credentials with scoped permissions, based on a trusted IAM Role.

 

This approach is not only more secure, but also easier to manage, no static keys, no secrets management overhead, and automatic expiration.

Let’s walk through how you can securely deploy your AWS CDK projects using Bitbucket Pipelines with OpenID Connect (OIDC). This involves configuring Bitbucket as an identity provider, setting up IAM roles in AWS, using temporary credentials in your CI/CD pipeline, and automating secure cloud deployments without static AWS keys.

 

Step 1: How to set up your Bitbucket CDK Project Repository

Start by creating a Bitbucket repository, you can clone this sample repository: https://bitbucket.org/aws-blogs/hello-cdk/src/main/

This project simply creates a Lambda function which exposes a publicly generated URL. It is based on the official AWS CDK Documentation which you could also follow here if you want to build it yourself.

 

Step 2: Get the Bitbucket OpenID Connects Identity Providers URL and Audience

To get the Identity Providers URL and Audience, open your Bitbucket repository and click ‘Repository Setting’ then ‘OpenID Connect’ from the left-hand side menu.

A screenshot of a Bitbucket repository, highlighting the options ‘OpenID Connect’ in the left-hand side menu from the ‘Repository Setting’.

A screenshot of a Bitbucket repository highlighting the values for Identity Provider URL and Audience.

Using the following values:

You can learn more in Bitbucket’s OIDC documentation.

 

Step 3: Creating an OIDC Identity provider in AWS IAM

To create an IAM Identity Provider, open the IAM Dashboard in the AWS Console. On the left hand-side, click on ‘Identity Providers’.

A screenshot of an IAM Dashboard in the AWS Console, highlighting 'Identity providers' in the left-hand menu.

On the next page, click on the ‘Add Provider’ button on the top right.

A screenshot of an IAM Identity Providers page, highlighting the 'Add provider' button.

In the Add Identity form, select the ‘OpenID Connect’ as Provider Type and on the Provider URL and Audience. Supply the values into these fields based on the values we got from Step 1 and click the ‘Add provider’ button to create theIdentity provider.

A screenshot of an IAM 'Add Identity' form, highlighting ‘OpenID Connect’ as Provider Type, Provider URL and Audience.

A screenshot of an IAM Identity Providers homepage, highlighting the added provider.

Step 4: How to create a trusted IAM role for OIDC

To create a role for this project, head to the AWS Console IAM page and click on ‘Roles’ on the left-hand side of the menu then click on ‘Create role’ on the top right.

A screenshot of the AWS Console IAM page, highlighting ‘Roles’ in left-hand menu and the ‘Create role’ button top right.

Next up, in IAM Role Creation Step 1, select the ‘Web Identity’ option under ‘Trusted Entity Type’ and under Web Identity below, select the respective ‘Identity Provider and Audience’.

A screenshot of IAM Role Creation Step 1, highlighting the ‘Web Identity’ option under ‘Trusted Entity Type’ and ‘Identity Provider and Audience’ under 'Web Identity'.

In IAM Role Creation Step 2, select the permissions for the role.

A screenshot of IAM 'Add permissions' page, showing 'Permissions policies' and the policy code.

I have already created the policy which you can copy below as an inline policy.

				
					{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Action": [
        "ssm:GetParameter"
      ],
      "Resource": [
        "arn:aws:ssm:ap-southeast-2:00000000000:parameter/cdk-bootstrap/*"
      ]
    },
    {
      "Sid": "Statement2",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::cdk*"
      ],
      "Action": [
        "s3:*Object",
        "s3:ListBucket"
      ]
    },
    {
      "Sid": "Statement3",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:iam:: 00000000000:role/cdk-*"
      ],
      "Action": [
        "iam:PassRole"
      ]
    },
    {
    "Sid": "Statement4",
    "Effect": "Allow",
    "Resource": [
        "arn:aws:cloudformation:ap-southeast-2: 00000000000:stack/HelloCdkStack/*"
    ],
      "Action": [
        "cloudformation:DescribeStacks",
        "cloudformation:Get*",
        "cloudformation:CreateChangeSet",
        "cloudformation:DescribeChangeSet",
        "cloudformation:DeleteChangeSet",
        "cloudformation:ExecuteChangeSet",
        "cloudformation:DescribeStackEvents"
      ]
    },
    {
      "Sid": "Statement5",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:cloudformation:ap-southeast-2: 00000000000:stack/CDKToolkit/*"
      ],
      "Action": [
        "cloudformation:DescribeStacks",
        "cloudformation:GetTemplate"
      ]
    }
  ]
}

And in the final step, add a name to the role and create it.

A screenshot of IAM 'Name, review, and create' page, showing the name and description field, followed by the trust policy code, permissions policy summary and tags.

 

Once it’s created, copy the IAM Role ‘ARN’.

See the official AWS documentation for creating a role for OIDC here.

A screenshot of the IAM role summary page, highlighting 'ARN'.

Step 5: Configure your Bitbucket Pipeline with AWS role ARN

Open the bitbucket-pipeline.yml file and replace the AWS_ROLE_ARN variable with the AWS Role ARN from Step 4. Then commit and push your change.

				
					image: node:22.15.0
pipelines:
  branches:
    main:
      - step:
          oidc: true
          script:
            - export AWS_REGION=ap-southeast-2
            - export AWS_ROLE_ARN={AWS_IAM_ROLE_FROM_STEP_4}
            - export AWS_WEB_IDENTITY_TOKEN_FILE=$(pwd)/web-identity-token
            - echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
            - npm install -g ts-node aws-cdk
            - npm i -D esbuild
            - npx cdk bootstrap
            - npx cdk synth
            - npx cdk diff
            - npx cdk deploy --require-approval never

Step 6: Running the Pipeline to deploy your CDK Stack

go back to Bitbucket Repository, open the Pipeline page on the left-hand side menu and run a new pipeline by selecting the main branch and branches:main for the Pipeline.

 

A screenshot of Pipeline page within Bitbucket repository, highlighting 'Run Pipeline' window and the 'Branch' and 'Pipeline' dropdowns.

 

Once the build and deployment are successful, you should see in the CDK deployment logs the HelloCdkStack.myFunctionUrlOutput = https://v7pyne536cvpibt6mmwtsd75mi0xbdqe.lambda-url.ap-southeast-2.on.aws/ (The URL will be different from your deployment)

 

A screenshot of CDK deployment logs

 

And by opening this URL, you should see the “Hello World!” printed on the page.

 

A screenshot of the URL and 'Hello World' on the page.

 

Step 7: Cleaning up CDK resources in AWS

Since we’re working with AWS CDK on top of AWS CloudFormation, all the services created can easily be cleaned up, just head to the ‘AWS Console CloudFormation’ dashboard and select the ‘HelloCdkStack’ and delete it.

Note: It will not delete the IAM Identity Provider and Role that you created manually, so head to the IAM Dashboard and delete those as well.

 

A screenshot of AWS Console CloudFormation page, highlighting the ‘HelloCdkStack’ Stack and delete button.

 

Learn more about deleting CloudFormation stacks with AWS here..

Conclusion

Using Bitbucket Pipelines with AWS via OIDC removes the need for static credentials, making deployments more secure and easier to manage. By following this step-by-step guide, you should now have a clearer understanding of how to set up a secure CDK deployment pipeline using short-lived, scoped permissions, providing a safer and more streamlined alternative to static credentials.

If you’re still using long-lived access keys in your CI/CD workflows, now’s the time to switch to OIDC for a safer and more modern approach.

What’s next?

Bitbucket offers Pipeline Pipes, which are pre-built deployment scripts that simplify setting up your Bitbucket Pipelines. In this Bitbucket project, you’ll find a variety of deployment recipes for AWS services like CloudFormation, ECS, ECR, S3, and more.

 

What You’ll Gain

By securing your AWS CDK deployments with Bitbucket Pipelines and OIDC, you’ll not only eliminate the risk of leaking long-lived credentials but you’ll also unlock a scalable, maintainable, and secure CI/CD workflow that grows with your team and your infrastructure.

Start building with confidence, knowing your deployments are fast, automated, and protected by modern best practices.

And if you’re ready to go even further, contact Cevo’s team of experts, so we can help you modernise and uplift your business through cutting-edge solutions in MigrationModernisationData and AI/ML, ensuring your applications are built for scalability and long-term success.

Enjoyed this blog?

Share it with your network!

You may also like

Move faster with confidence

Contact Us

Move faster, with confidence.

Melbourne

Level 5

440 Collins St

Melbourne VIC 3000

Sydney

Level 2

24 Campbell St

Haymarket NSW 2000

Brisbane

200 Adelaide St

Brisbane QLD 4000

Canberra

Level 1

33 Allara St

Canberra ACT 2601

Linkedin Twitter Youtube

Services

Industries

Company

Legal

Cevo trades as Cevo (VIC) Pty Ltd and Cevo (NSW) Pty Ltd | © All Rights Reserved CevoTM

Cevo acknowledges the Traditional Owners of the land on which our offices are situated, and pay our respects to their Elders past, present and emerging.