question

DavidVCorbin-2313 avatar image
0 Votes"
DavidVCorbin-2313 asked ryanchill commented

Azure CI to BitBucket Deploy with Managed Identity

As the title says... Everything works when I use my identity... I log in, authenticate, setup tokens... all good.

But how to do this for a managed identity????

azure-ad-authenticationazure-webapps-content-deploymentazure-managed-identity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ryanchill avatar image
0 Votes"
ryanchill answered ryanchill commented

Hi @DavidVCorbin-2313,

You can create a service principal, with the least set of privileges, with the following the command and use the json output to your secrets in your BitBucket yaml script.

az ad sp create-for-rbac --name "myAppDeployAuth" --role contributor \
                            --scopes /subscriptions/<subscription-id>/resourceGroups/<group-name>/providers/Microsoft.Web/sites/<app-name> \
                            --sdk-auth


EDIT: I came across https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/atlassian-cloud-tutorial and think this is what you're referring to. A system managed identity isn't going for work for this use case because only Azure services can use it. What I suggest is creating a user identity per the tutorial and assigning that user identity to you Azure resource. Another option you have is configuring a JWT token that your code running on Azure can use.


· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry, if I was not clear.... I am in an Azure environment.. I have code (e.g. a Logic Function) that is running under a managed Identity.... How do I get that managed identity accepted by bitbucket, so that the correct tokens are created for the existing managed identity... The goal is to push code to BitBucket while authenticated under the managed identity.

0 Votes 0 ·

Sorry @DavidVCorbin-2313, I'm still not clear on "pushing code from Azure into BitBucket". Can you provide further details on your use case? For instance, is the Logic App being used as a webhook to pull a repo and push it into BitBucket?

0 Votes 0 ·

Code running in Azure, could be a logic app, or a vm or anything, but it is running under a common existing Managed Identity. This code needs to manipulate a repository which exists in BitBucket. Therefore the managed identity needs the same end result as a interactive user would normally get [aka register with BitBucket, set the requisite permissions (usually requires a dialog box to confirm the permissions that are being given), set the appropriate "sourcecontrols" token [for the Managed Identity], so that it can seamlessly access BitBucket the exact same way a user identit y would.

No webhooks, nothing, just switching something from running under MY identity, to the same thing running under an Azure Managed Identity.

0 Votes 0 ·
Show more comments