DEV Community: Mel Cadano The latest articles on DEV Community by Mel Cadano (@melcdn). https://dev.to/melcdn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3979145%2Fa4b8af47-0a31-4a71-96af-448e4c136534.png DEV Community: Mel Cadano https://dev.to/melcdn en Automate Python Package Releases: Semantic Release, AWS CodeArtifact, Poetry and Bitbucket Pipelines Mel Cadano Sun, 14 Jun 2026 15:15:32 +0000 https://dev.to/melcdn/automate-python-package-releases-semantic-release-aws-codeartifact-poetry-and-bitbucket-pipelines-95m https://dev.to/melcdn/automate-python-package-releases-semantic-release-aws-codeartifact-poetry-and-bitbucket-pipelines-95m <h2> Overview </h2> <p>Maintaining a private Python package shouldn't mean manually bumping versions, tagging commits, and pushing releases every time you ship a change. For a while, that's exactly what I was doing — editing pyproject.toml, running git tag, pushing, and hoping I didn't fat-finger the version number.</p> <p>In this article, we'll wire up a fully automated release pipeline for a <strong>private Python package</strong> using:</p> <ul> <li> <strong>Poetry</strong> — dependency management and packaging</li> <li> <strong>Python Semantic Release</strong> — automatic version bumps from commit messages</li> <li> <strong>Bitbucket Pipelines</strong> — CI/CD runner</li> <li> <strong>AWS CodeArtifact</strong> — private package registry</li> </ul> <p>By the end, every merge to main will automatically bump the version, generate a changelog, tag the commit, and publish to CodeArtifact — based purely on your commit messages.</p> <p><strong>Prerequisites</strong></p> <ul> <li>A <strong>Bitbucket</strong> account (workspace + repo creation rights)</li> <li>An <strong>AWS</strong> account (CodeArtifact access)</li> <li><strong>Python 3.11+</strong></li> </ul> <p><strong>Reference repository</strong><br> The complete sample code and starter files used throughout this article are available on this <strong>GitHub repository</strong>: [<a href="https://github.com/mel-cdn/playground-hub-python-shared" rel="noopener noreferrer">https://github.com/mel-cdn/playground-hub-python-shared</a>].</p> <h2> Step 1 — Initialize the Private Python Library Repository </h2> <p>We'll commit an initial v0.0.0 baseline so semantic-release has a starting point.</p> <blockquote> <p>💡 Already have an existing package with a version? Skip ahead and manually tag your current version, then push the tag to origin. See <strong>[Step 1.7]</strong>.</p> </blockquote> <h3> 1.1 Create an empty Bitbucket repository </h3> <p>[<a href="https://bitbucket.org/%5Byour-workspace%5D/workspace/create/repository" rel="noopener noreferrer">https://bitbucket.org/[your-workspace]/workspace/create/repository</a>]</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftt8ji1tedkiavpfi0axe.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftt8ji1tedkiavpfi0axe.png" alt="Create an empty repository" width="613" height="859"></a></p> <h3> 1.2 Clone it locally </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>git clone git@bitbucket.org:[your-workspace]/phub-python-shared.git Cloning into <span class="s1">'phub-python-shared'</span>... warning: You appear to have cloned an empty repository. </code></pre> </div> <h3> 1.3 Add the initial files </h3> <p>You can check out the <code>initial-files</code> branch of the <strong>Reference Repository</strong>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>phub-python-shared ├─ phub_python_shared/ # The package source │ ├── __init__ │ ├── unique_id.py ├─ tests/ # Unit tests files │ ├── __init__ │ ├── test_unique_id.py ├─ .gitignore ├─ poetry.lock # The snapshot of the package versions ├─ pyproject.toml # The package build configuration ├─ README.md # The manual </code></pre> </div> <h3> 1.4 Configure <code>pyproject.toml</code> </h3> <p>Let's walk through the relevant sections.</p> <p><strong>Project metadata</strong> — note the initial version is <code>0.0.0</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="c"># -----------------------------</span> <span class="c"># Project Metadata</span> <span class="c"># -----------------------------</span> <span class="nn">[project]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"phub-python-shared"</span> <span class="py">version</span> <span class="p">=</span> <span class="s">"0.0.0"</span> <span class="py">description</span> <span class="p">=</span> <span class="s">"Python Shared Utilities for Playground Hub"</span> <span class="py">readme</span> <span class="o">=</span> <span class="p">{</span> <span class="py">file</span> <span class="p">=</span> <span class="s">"README.md"</span><span class="p">,</span> <span class="py">content-type</span> <span class="p">=</span> <span class="s">"text/markdown"</span> <span class="p">}</span> <span class="py">authors</span> <span class="p">=</span> <span class="p">[</span> <span class="err">{</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"Mel Cadano"</span><span class="p">,</span> <span class="py">email</span> <span class="p">=</span> <span class="s">"mel.cdn@outlook.ph"</span> <span class="err">}</span> <span class="p">]</span> </code></pre> </div> <p><strong>Build system &amp; dependencies</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="c"># -----------------------------</span> <span class="c"># Build system</span> <span class="c"># -----------------------------</span> <span class="nn">[build-system]</span> <span class="py">requires</span> <span class="p">=</span> <span class="py">["poetry-core&gt;</span><span class="p">=</span><span class="mf">1.0</span><span class="err">.</span><span class="mi">0</span><span class="s">"]</span><span class="err"> </span><span class="py">build-backend</span> <span class="p">=</span> <span class="s">"poetry.core.masonry.api"</span> <span class="nn">[[tool.poetry.source]]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"PyPI"</span> <span class="py">priority</span> <span class="p">=</span> <span class="s">"primary"</span> <span class="c"># -----------------------------</span> <span class="c"># Project Dependencies</span> <span class="c"># -----------------------------</span> <span class="nn">[tool.poetry.dependencies]</span> <span class="py">python</span> <span class="p">=</span> <span class="py">"&gt;</span><span class="p">=</span><span class="mf">3.11</span><span class="p">,</span><span class="err">&lt;</span><span class="mf">3.13</span><span class="py">" ulid = "</span><span class="p">=</span><span class="err">=</span><span class="mf">1.1</span><span class="py">" # ----------------------------- # Dev Dependencies # ----------------------------- [tool.poetry.group.dev.dependencies] pytest = "</span><span class="p">=</span><span class="err">=</span><span class="mf">9.0</span><span class="err">.</span><span class="mi">3</span><span class="py">" python-semantic-release = "</span><span class="p">=</span><span class="err">=</span><span class="mf">10.5</span><span class="err">.</span><span class="mi">3</span><span class="s">"</span><span class="err"> </span></code></pre> </div> <p><strong>Semantic Release configuration</strong> — this tells <code>semantic-release</code> to target <strong>Bitbucket</strong>, write a <code>CHANGELOG.md</code>, and keep the version in <code>pyproject.toml</code> in sync:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="c"># -----------------------------</span> <span class="c"># Semantic Release Configuration</span> <span class="c"># -----------------------------</span> <span class="nn">[tool.semantic_release]</span> <span class="c"># Commit Configurations</span> <span class="py">vcs</span> <span class="p">=</span> <span class="s">"bitbucket"</span> <span class="py">branch</span> <span class="p">=</span> <span class="s">"main"</span> <span class="py">allow_zero_version</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">changelog_file</span> <span class="p">=</span> <span class="s">"CHANGELOG.md"</span> <span class="py">commit_message</span> <span class="p">=</span> <span class="s">"✨ Bump to version {version} [skip ci]"</span> <span class="py">commit_parser</span> <span class="p">=</span> <span class="s">"conventional"</span> <span class="py">tag_format</span> <span class="p">=</span> <span class="s">"v{version}"</span> <span class="c"># For the CHANGELOG.MD builder</span> <span class="py">repository_author</span> <span class="p">=</span> <span class="s">"mello-world"</span> <span class="py">repository_name</span> <span class="p">=</span> <span class="s">"phub-python-shared"</span> <span class="py">version_toml</span> <span class="p">=</span> <span class="p">[</span> <span class="s">"pyproject.toml:project.version"</span><span class="p">,</span> <span class="p">]</span> <span class="nn">[tool.semantic_release.remote]</span> <span class="py">name</span> <span class="p">=</span> <span class="s">"origin"</span> <span class="py">type</span> <span class="p">=</span> <span class="s">"bitbucket"</span> </code></pre> </div> <p><strong>Commit-message → version bump mapping</strong>. Semantic-release reads your commit messages to decide what the next version will be:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="c"># For Version Tagging</span> <span class="nn">[tool.semantic_release.commit_parser_options]</span> <span class="py">patch_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s">"fix"</span><span class="p">,</span> <span class="s">"chore"</span><span class="p">,</span> <span class="s">"docs"</span><span class="p">,</span> <span class="s">"style"</span><span class="p">,</span> <span class="s">"refactor"</span><span class="p">,</span> <span class="s">"test"</span><span class="p">]</span> <span class="py">minor_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s">"feat"</span><span class="p">]</span> <span class="py">major_tags</span> <span class="p">=</span> <span class="p">[</span><span class="s">"feat!"</span><span class="p">]</span> </code></pre> </div> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Commit prefix</th> <th>Bump type</th> <th>Example</th> </tr> </thead> <tbody> <tr> <td> <code>fix:</code>, <code>chore:</code>, <code>docs:</code>, <code>style:</code>, <code>refactor:</code>, <code>test:</code> </td> <td>Patch (0.0.X)</td> <td><code>fix: handle empty input</code></td> </tr> <tr> <td><code>feat:</code></td> <td>Minor (0.X.0)</td> <td><code>feat: add ULID generator</code></td> </tr> <tr> <td><code>feat!:</code></td> <td>Major (X.0.0)</td> <td><code>feat!: drop Python 3.10 support</code></td> </tr> </tbody> </table></div> <h3> 1.5 Now let's commit these as starter files. </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git commit <span class="nt">-a</span> <span class="nt">-m</span> <span class="s2">"Add initial files"</span> </code></pre> </div> <h3> 1.6 Install the package and run a local version bump </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>pip <span class="nb">install </span>poetry <span class="nv">$ </span><span class="nb">eval</span> <span class="si">$(</span>poetry <span class="nb">env </span>activate<span class="si">)</span> <span class="nv">$ </span>poetry <span class="nb">install</span> <span class="nt">--no-root</span> <span class="nv">$ </span>semantic-release version </code></pre> </div> <p>You'll see something like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>01:36:15] WARNING Token value is missing! config.py:782 0.0.0 The next version is: 0.0.0! 🚀 WARNING:root:[Errno 2] No such file or directory: <span class="s1">'.../phub-python-shared/CHANGELOG.md'</span> No build <span class="nb">command </span>specified, skipping ::ERROR:: Requested to use token but no token set. Run semantic-release <span class="k">in </span>very verbose mode <span class="o">(</span><span class="nt">-vv</span><span class="o">)</span> to see the full traceback. </code></pre> </div> <blockquote> <p>ℹ️ The "Token value is missing" error is expected locally — pushing to the remote requires a token, which we'll configure later in Bitbucket Pipelines. The local tag and changelog are still created.</p> </blockquote> <p>Since there's no <code>feat/fix</code> commit yet, the version doesn't bump — but because the <code>v0.0.0</code> tag didn't exist, semantic-release creates one matching the current version:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>git tag <span class="nt">--list</span> v0.0.0 </code></pre> </div> <p>Checking your git log, you should also see a <strong>Bump version</strong> commit authored by <code>semantic-release</code>, along with an initial <code>CHANGELOG.md</code>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj7to0nmrgbq5rk2vw7dx.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj7to0nmrgbq5rk2vw7dx.png" alt="First version bump" width="677" height="127"></a></p> <p><code>CHANGELOG.md</code><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># CHANGELOG &lt;!-- version list --&gt; ## v0.0.0 (2026-06-14) - Initial Release </code></pre> </div> <h3> 1.7 Push <code>main</code> and the <code>v0.0.0</code> tag to origin </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">$ </span>git push origin main <span class="nv">$ </span>git push origin tag v0.0.0 </code></pre> </div> <p>✅ Confirm in Bitbucket that the <code>main</code> branch and the <code>v0.0.0</code> tag are both present.<br> [<a href="https://bitbucket.org/%5Byour-workspace%5D/phub-python-shared/commits/branch/main" rel="noopener noreferrer">https://bitbucket.org/[your-workspace]/phub-python-shared/commits/branch/main</a>]</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foqbgah6gthyr3xcvxqx1.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foqbgah6gthyr3xcvxqx1.png" alt="Repository main branch" width="799" height="246"></a></p> <p>[<a href="https://bitbucket.org/%5Byour-workspace%5D/phub-python-shared/commits/tag/v0.0.0" rel="noopener noreferrer">https://bitbucket.org/[your-workspace]/phub-python-shared/commits/tag/v0.0.0</a>]</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi4grmqg2ji0hyrd8ejt0.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi4grmqg2ji0hyrd8ejt0.png" alt="Repository tag v0.0.0" width="800" height="247"></a></p> <h2> Step 2 — Automate the Bump in Bitbucket Pipelines </h2> <p>Now that local bumping works, let's move the tagging into Bitbucket Pipelines so every merge to main is versioned automatically.</p> <h3> 2.1 Create a Bitbucket access token (bot) </h3> <p>Semantic-release needs to <strong>push commits and tags back to main</strong>, which the default <code>$BITBUCKET_*</code> pipeline credentials can't do. Create a dedicated bot token:<br> [<a href="https://bitbucket.org/%5Byour-workspace%5D/phub-python-shared/admin/access-tokens" rel="noopener noreferrer">https://bitbucket.org/[your-workspace]/phub-python-shared/admin/access-tokens</a>]</p> <ol> <li>Go to <strong>Repository settings → Security → Access tokens → Create access Token</strong>.</li> <li>Name it something like <code>Version Crafter</code>.</li> <li>Grant the following scopes: <code>repository:write</code>. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F31euq25ksguhz5zzpplo.png" alt="Create access token" width="600" height="701"> </li> <li>Copy the <strong>generated token</strong> and <strong>email</strong>. <img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2995zs9ejipf7fdli5qo.png" alt="Created access token configuration" width="602" height="841"> </li> </ol> <h3> 2.2 Update the <code>pyproject.toml</code>. </h3> <p>Wire up the bot identity so <strong>semantic-release</strong> can sign commits and push tags on your behalf. Use the <strong>access token name</strong> and <strong>email</strong> from the previous step as the <code>commit_author</code>.</p> <p>Add the <code>commit_author</code> line to your <code>pyproject.toml</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="c"># -----------------------------</span> <span class="c"># Semantic Release Configuration</span> <span class="c"># -----------------------------</span> <span class="nn">[tool.semantic_release]</span> <span class="c"># Commit Configurations</span> <span class="py">vcs</span> <span class="p">=</span> <span class="s">"bitbucket"</span> <span class="py">branch</span> <span class="p">=</span> <span class="s">"main"</span> <span class="py">allow_zero_version</span> <span class="p">=</span> <span class="kc">true</span> <span class="py">changelog_file</span> <span class="p">=</span> <span class="s">"CHANGELOG.md"</span> <span class="py">commit_author</span> <span class="p">=</span> <span class="s">"Version Crafter &lt;y1qvnblznuaapeboc86b0w62qhkuj0@bots.bitbucket.org&gt;"</span> <span class="py">commit_message</span> <span class="p">=</span> <span class="s">"✨ Bump to version {version} [skip ci]"</span> <span class="py">commit_parser</span> <span class="p">=</span> <span class="s">"conventional"</span> <span class="py">tag_format</span> <span class="p">=</span> <span class="s">"v{version}"</span> </code></pre> </div> <h3> 2.3 Update the Repository Variables for the Pipeline </h3> <p>[<a href="https://bitbucket.org/%5Byour-workspace%5D/phub-python-shared/admin/pipelines/repository-variables" rel="noopener noreferrer">https://bitbucket.org/[your-workspace]/phub-python-shared/admin/pipelines/repository-variables</a>]</p> <blockquote> <p>🛠️ You need to <strong>enable pipelines</strong> first to be able to add <strong>repository variables</strong>.</p> </blockquote> <p>In <strong>Repository settings → Repository variables</strong>, add:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Variable</th> <th>Value</th> <th>Secured</th> </tr> </thead> <tbody> <tr> <td><code>BITBUCKET_BOT_TOKEN</code></td> <td>(the access token)</td> <td><strong>Yes</strong></td> </tr> </tbody> </table></div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftu824ijbtaygz9pdhrvv.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftu824ijbtaygz9pdhrvv.png" alt="New variable added" width="800" height="366"></a></p> <h3> 2.4 Add the initial <code>bitbucket-pipelines.yml</code> </h3> <p>Create a <code>bitbucket-pipelines.yml</code> at the repo root with two steps:</p> <ol> <li> <strong>Unit Tests</strong> </li> <li> <strong>Bump Version</strong> - using <code>BITBUCKET_BOT_TOKEN</code> to push the next tag.</li> </ol> <p>The pipeline has two steps. unit tests and bump version. bump version will use <code>BITBUCKET_BOT_TOKEN</code> so it can push the next tag<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">python:3.12</span> <span class="na">definitions</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="nl">&amp;lint-and-tests</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Unit Tests</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pip install poetry</span> <span class="pi">-</span> <span class="s">poetry install --no-root</span> <span class="pi">-</span> <span class="s">poetry run python -m pytest</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="nl">&amp;bump-version</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Bump Version</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pip install python-semantic-release==10.5.3</span> <span class="pi">-</span> <span class="s">export BITBUCKET_TOKEN=$BITBUCKET_BOT_TOKEN</span> <span class="pi">-</span> <span class="s">git remote set-url origin "https://x-token-auth:${BITBUCKET_TOKEN}@bitbucket.org/${BITBUCKET_REPO_FULL_NAME}.git"</span> <span class="pi">-</span> <span class="s">PYTHONPATH="${PWD}" semantic-release version</span> <span class="na">pipelines</span><span class="pi">:</span> <span class="c1"># Runs when code hits the main branch</span> <span class="na">branches</span><span class="pi">:</span> <span class="na">main</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="nv">*lint-and-tests</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="nv">*bump-version</span> </code></pre> </div> <h3> 2.5 Commit, push, and validate the pipeline </h3> <p>With <code>pyproject.toml</code> and <code>bitbucket-pipelines.yml</code> in place, commit both files and push to <code>main</code>.<br> We'll use a <code>chore</code> commit type — this is an intentional change that <code>semantic-release</code> will detect and bump to the first real version.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git add pyproject.toml bitbucket-pipelines.yml git commit <span class="nt">-m</span> <span class="s2">"chore: Configure package build and pipeline configuration"</span> git push origin main </code></pre> </div> <p>Head over to <strong>Pipelines</strong> in your Bitbucket repository to watch the first run:</p> <p>[<a href="https://bitbucket.org/%5Byour-workspace%5D/phub-python-shared/pipelines" rel="noopener noreferrer">https://bitbucket.org/[your-workspace]/phub-python-shared/pipelines</a>]</p> <p><strong>Pipeline Overview</strong><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fro2a1vjmc2jpvskrhhb4.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fro2a1vjmc2jpvskrhhb4.png" alt="First pipeline" width="800" height="195"></a></p> <p><strong>Pipeline Steps</strong><br> Verify that the <strong>bump version</strong> step completes successfully and bumps the version to <code>v0.0.1</code>:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg5eml1mbuvkqyc6pir94.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fg5eml1mbuvkqyc6pir94.png" alt="Pipeline steps" width="799" height="360"></a></p> <p>Finally, confirm in Bitbucket that:</p> <ul> <li>✅ The <code>main</code> branch now contains the automated bump commit.</li> <li>✅ The new <code>v0.0.1</code> tag is present.</li> <li>✅ The bot account - <code>Version Crafter</code> is the author of the commit instead of the default <code>semantic-release</code>.</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwlswsk2edpp23b1mqhhb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fwlswsk2edpp23b1mqhhb.png" alt="Repository main branch" width="800" height="279"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4h3cx1hjm14ir7dw6ex7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4h3cx1hjm14ir7dw6ex7.png" alt="Repository tag v0.0.1" width="800" height="282"></a></p> <h2> Step 3 — Automate the Push to AWS CodeArtifact </h2> <p>With versioning automated, the last piece is <strong>publishing the built wheel to a private registry</strong>.</p> <h3> 3.1 Create the CodeArtifact domain &amp; repository </h3> <p>In the AWS Console, go to <strong>CodeArtifact → Domains → Create domain</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhfq8etvepf26mmelay3f.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fhfq8etvepf26mmelay3f.png" alt="Create a CodeArtifact domain" width="800" height="614"></a></p> <p>Then create a repository inside that domain. You can leave the upstream as <code>pypi-store</code> so missing public dependencies are proxied transparently.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw2m43o96ozo5ijd3g3ci.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw2m43o96ozo5ijd3g3ci.png" alt="Create a CodeArtifact repository" width="799" height="534"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftq4r79lf41pmtla7km75.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftq4r79lf41pmtla7km75.png" alt="Created an empty repository" width="800" height="280"></a></p> <h3> 3.2 Create a deployer IAM user </h3> <p>The pipeline needs AWS credentials to push to CodeArtifact. Create a dedicated IAM user for it.</p> <blockquote> <p>🧠 For simplicity, we'll use an IAM user with access keys. If you'd rather use short-lived credentials via OIDC (recommended for production), follow this guide instead: <a href="https://dev.to/melcdn/bitbucket-pipelines-for-aws-using-openid-connect-oidc-3oi5">Bitbucket → AWS OIDC setup</a>.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feegyjp133kwetxua28io.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Feegyjp133kwetxua28io.png" alt="Creating the IAM user deployer" width="799" height="458"></a></p> <blockquote> <p>🔐 Attached <strong>AWS-managed policy</strong> is <code>PowerUserAccess</code> for a quick setup. For <strong>production</strong>, you can use below in-line policy to restrict to the <strong>least privilege required</strong> (recommended).<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"codeartifact:GetAuthorizationToken"</span><span class="p">,</span><span class="w"> </span><span class="s2">"codeartifact:GetRepositoryEndpoint"</span><span class="p">,</span><span class="w"> </span><span class="s2">"codeartifact:ReadFromRepository"</span><span class="p">,</span><span class="w"> </span><span class="s2">"codeartifact:PublishPackageVersion"</span><span class="p">,</span><span class="w"> </span><span class="s2">"codeartifact:PutPackageMetadata"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:GetServiceBearerToken"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"sts:AWSServiceName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"codeartifact.amazonaws.com"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> 3.3 Generate an access key </h3> <p>After creating the IAM user, On the user's <strong>Security credentials</strong> tab, click <strong>Create access key</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffbhf2gsfd8421z29jsr5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffbhf2gsfd8421z29jsr5.png" alt="Create IAM user access key" width="800" height="284"></a></p> <p>Copy both the <strong>Access key ID</strong> and <strong>Secret access key</strong> — the secret is shown only once.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuc9bcmfal6sso8n6ye0b.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuc9bcmfal6sso8n6ye0b.png" alt="Auto-generated access keys" width="799" height="423"></a></p> <h3> 3.4 Update the repository variables for the pipeline </h3> <p>[<a href="https://bitbucket.org/%5Byour-workspace%5D/phub-python-shared/admin/pipelines/repository-variables" rel="noopener noreferrer">https://bitbucket.org/[your-workspace]/phub-python-shared/admin/pipelines/repository-variables</a>]</p> <p>Add the <strong>AWS</strong> keys and values:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Variable</th> <th>Value</th> <th>Secured</th> </tr> </thead> <tbody> <tr> <td><code>AWS_ACCOUNT_ID</code></td> <td>(13 digit AWS account number)</td> <td><strong>Yes</strong></td> </tr> <tr> <td><code>AWS_DEFAULT_REGION</code></td> <td>(AWS region)</td> <td><strong>No</strong></td> </tr> <tr> <td><code>AWS_ACCESS_KEY_ID</code></td> <td>(IAM user access key)</td> <td><strong>Yes</strong></td> </tr> <tr> <td><code>AWS_SECRET_ACCESS_KEY</code></td> <td>(IAM user secret access key)</td> <td><strong>Yes</strong></td> </tr> </tbody> </table></div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuk35shwuw8cmxs3coy0k.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fuk35shwuw8cmxs3coy0k.png" alt="Updated repository variables with AWS configurations" width="800" height="504"></a></p> <h3> 3.5 Add the Publish step to pipeline configuration </h3> <p>Pull the latest commits and tags from your remote origin:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git pull origin main </code></pre> </div> <p>Add the <code>publish</code> step to <code>bitbucket-pipelines.yml</code> and update with the following workflow rules:</p> <ul> <li> <code>lint-and-test</code>: Runs on all feature branches, excluding <code>main</code>, to validate code before merging.</li> <li> <code>bump-version</code>: Runs strictly on <code>main</code> branch to handle automated versioning and tagging.</li> <li> <code>publish</code>: Triggers only when a new tag is pushed, building and uploading the package to <strong>AWS CodeArtifact</strong>.</li> </ul> <p>Updated <code>bitbucket-pipelines.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">python:3.12</span> <span class="na">definitions</span><span class="pi">:</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="nl">&amp;lint-and-tests</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Unit Tests</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pip install poetry</span> <span class="pi">-</span> <span class="s">poetry install --no-root</span> <span class="pi">-</span> <span class="s">poetry run python -m pytest</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="nl">&amp;bump-version</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Bump Version</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pip install python-semantic-release==10.5.3</span> <span class="pi">-</span> <span class="s">export BITBUCKET_TOKEN=$BITBUCKET_CI_TOKEN</span> <span class="pi">-</span> <span class="s">git remote set-url origin "https://x-token-auth:${BITBUCKET_TOKEN}@bitbucket.org/${BITBUCKET_REPO_FULL_NAME}.git"</span> <span class="pi">-</span> <span class="s">PYTHONPATH="${PWD}" semantic-release version</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="nl">&amp;publish</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Publish to CodeArtifact</span> <span class="na">script</span><span class="pi">:</span> <span class="c1"># Install dependencies</span> <span class="pi">-</span> <span class="s">apt-get update -qq &amp;&amp; apt-get install -y -qq jq</span> <span class="pi">-</span> <span class="s">pip install awscli==1.45.25 poetry==2.4.1</span> <span class="c1"># Preparing CodeArtifact repository</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">AUTH_TOKEN=$(</span> <span class="s">aws codeartifact get-authorization-token \</span> <span class="s">--domain "playground-hub" \</span> <span class="s">--domain-owner $AWS_ACCOUNT_ID \</span> <span class="s">--region $AWS_DEFAULT_REGION \</span> <span class="s">--query 'authorizationToken' \</span> <span class="s">--output text</span> <span class="s">) </span> <span class="s">REPO_URL=$(</span> <span class="s">aws codeartifact get-repository-endpoint \</span> <span class="s">--domain "playground-hub" \</span> <span class="s">--domain-owner $AWS_ACCOUNT_ID \</span> <span class="s">--region $AWS_DEFAULT_REGION \</span> <span class="s">--repository "phub-python-shared" \</span> <span class="s">--format pypi \</span> <span class="s">--query 'repositoryEndpoint' \</span> <span class="s">--output text</span> <span class="s">)</span> <span class="c1"># Building and push package</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">poetry build</span> <span class="s">poetry config repositories.phub-python-shared "$REPO_URL"</span> <span class="s">poetry config http-basic.phub-python-shared aws "$AUTH_TOKEN"</span> <span class="s">poetry publish -r phub-python-shared</span> <span class="na">pipelines</span><span class="pi">:</span> <span class="c1"># A. Runs on every branch EXCEPT main</span> <span class="na">default</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="nv">*lint-and-tests</span> <span class="c1"># B. Runs ONLY when code hits the main branch</span> <span class="na">branches</span><span class="pi">:</span> <span class="na">main</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="nv">*bump-version</span> <span class="c1"># C. Runs ONLY when there's a new tag with vX.X.X format</span> <span class="na">tags</span><span class="pi">:</span> <span class="s1">'</span><span class="s">v*.*.*'</span><span class="err">:</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="nv">*publish</span> </code></pre> </div> <h3> 3.6 Commit and push to Publish </h3> <p>We'll intentionally use <code>feat</code> commit type to trigger the bumping of the feature identifier<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git add bitbucket-pipelines.yml git commit <span class="nt">-m</span> <span class="s2">"feat: Add publish AWS CodeArtifact publish step on tags"</span> git push origin main </code></pre> </div> <p>Head over again to <strong>Pipelines</strong> in your Bitbucket repository:</p> <p>[<a href="https://bitbucket.org/%5Byour-workspace%5D/phub-python-shared/pipelines" rel="noopener noreferrer">https://bitbucket.org/[your-workspace]/phub-python-shared/pipelines</a>]</p> <h3> 3.7 Validate the publish </h3> <p>Once the <code>main</code> branch pipeline completes, the <strong>automated version bump</strong> kicks off the tag trigger.<br> The pipeline will automatically run the <strong>publish</strong> step immediately after the version tag (<code>v0.1.0</code>) is generated:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F240ahthzk5bccswkyaub.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F240ahthzk5bccswkyaub.png" alt="Publish after version bump" width="799" height="297"></a><br> <a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmqs3ux22k3bd3n84ngwk.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmqs3ux22k3bd3n84ngwk.png" alt="Publish successful" width="800" height="229"></a></p> <p>Finally, log into your <strong>AWS Console</strong> and navigate to <strong>AWS CodeArtifact</strong> to verify that your new package version is available in the repository:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4zhkwe9xiykx4031njeb.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F4zhkwe9xiykx4031njeb.png" alt="AWS CodeArtifact" width="800" height="390"></a></p> <h2> Conclusion </h2> <p>And that's it! You have successfully configured an automated Python package versioning and publishing pipeline using <strong>Bitbucket Pipelines</strong> and <strong>AWS CodeArtifact</strong>.</p> <p>In a future article, I will cover how to easily pull down and consume this package as a standard library inside your Python applications.</p> <p>Salamat po 🇵🇭</p> codeartifact python bitbucket poetry Bitbucket Pipelines for AWS using OpenID Connect (OIDC) Mel Cadano Sun, 14 Jun 2026 15:13:32 +0000 https://dev.to/melcdn/bitbucket-pipelines-for-aws-using-openid-connect-oidc-3oi5 https://dev.to/melcdn/bitbucket-pipelines-for-aws-using-openid-connect-oidc-3oi5 <h2> Overview </h2> <p>Storing permanent AWS Access Keys (<code>AWS_ACCESS_KEY_ID</code> and <code>AWS_SECRET_ACCESS_KEY</code>) in your CI/CD variables introduces significant security risks. <strong>OpenID Connect (OIDC)</strong> solves this by establishing a direct trust relationship between Bitbucket and AWS.</p> <p>To keep things clean, we will walk through creating a fresh Bitbucket repository to isolate and test this OIDC connection easily. Once this foundation is built, you can mirror the exact same pipeline configuration to securely handshake with AWS across any of your other repositories!</p> <p><strong>Prerequisites</strong></p> <ul> <li> <strong>Bitbucket Account</strong>: Permissions to create a workspace and a repository.</li> <li> <strong>AWS Account</strong>: Administrative or IAM management access to create Identity Providers and Roles.</li> </ul> <h2> Step 1 — Initialize a Bitbucket Repository </h2> <p><strong>1.1 -</strong> Create a new repository for testing the OIDC connection.<br> For this guide, I will use: <code>phub-oidc-check</code></p> <p><strong>1.2 -</strong> Head over to OIDC information of your repository:<br> [<a href="https://bitbucket.org/%5Bworkspace-name%5D/phub-oidc-check/admin/pipelines/openid-connect" rel="noopener noreferrer">https://bitbucket.org/[workspace-name]/phub-oidc-check/admin/pipelines/openid-connect</a>]</p> <p><strong>1.3 -</strong> Secure the <code>Identity provider URL</code> and <code>Audience</code></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0kjprw1mq3oi6sixbapz.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F0kjprw1mq3oi6sixbapz.png" alt="OpenID Connect" width="800" height="406"></a></p> <h2> Step 2 — Configure the Identity Provider in AWS </h2> <p><strong>2.1 -</strong> Navigate to the <strong>IAM Console &gt; Identity Providers &gt; Add Provider</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvi4af4933ianod8fxrmd.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fvi4af4933ianod8fxrmd.png" alt="Add Identity Provider" width="800" height="506"></a></p> <h2> Step 3 — Create the IAM Role for Bitbucket </h2> <p><strong>3.1 -</strong> In the <strong>IAM Console</strong>, go to <strong>Roles &gt; Create Role</strong>.<br> <strong>3.2 -</strong> Select Custom Trust Policy and paste the following JSON setup:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowBitbucket"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Federated"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:oidc-provider/api.bitbucket.org/2.0/workspaces/&lt;WORKSPACE_NAME&gt;/pipelines-config/identity/oidc"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sts:AssumeRoleWithWebIdentity"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"api.bitbucket.org/2.0/workspaces/&lt;WORKSPACE_NAME&gt;/pipelines-config/identity/oidc:aud"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ari:cloud:bitbucket::workspace/&lt;WORKSPACE_UUID&gt;"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>3.3 -</strong> Attach <strong>AWS-managed policy</strong> is <code>PowerUserAccess</code> for a quick setup. For <strong>production</strong>, you can use below in-line policy to restrict to the <strong>least privilege required</strong> (recommended).<br> <strong>3.4 -</strong> Name the role (e.g., <code>bitbucket-pipeline-oidc-role</code>) and copy its ARN.</p> <h2> Step 4 — Enable OIDC in Bitbucket Pipelines </h2> <p>Enable Bitbucket to generate the OIDC token (Repository Variables config) and update your pipeline script.<br> [<a href="https://bitbucket.org/%5Bworkspace-name%5D/phub-oidc-check/admin/pipelines/repository-variables" rel="noopener noreferrer">https://bitbucket.org/[workspace-name]/phub-oidc-check/admin/pipelines/repository-variables</a>]</p> <p><strong>4.1 -</strong> In your Bitbucket Repository settings, go to Pipelines &gt; Repository variables and add the <code>AWS_OIDC_ROLE_ARN</code> and <code>AWS_DEFAULT_REGION</code>.</p> <blockquote> <p>🛠️ You need to <strong>enable pipelines</strong> first to be able to add <strong>repository variables</strong>.</p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fie89k3v3w2lxqr82cm8x.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fie89k3v3w2lxqr82cm8x.png" alt="Repository variables" width="800" height="360"></a></p> <p><strong>4.2 -</strong> Add the <strong>bitbucket-pipelines.yml</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">image</span><span class="pi">:</span> <span class="s">amazon/aws-cli:latest</span> <span class="na">pipelines</span><span class="pi">:</span> <span class="na">custom</span><span class="pi">:</span> <span class="na">test-aws-oidc</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">step</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Test AWS OIDC Connection</span> <span class="na">oidc</span><span class="pi">:</span> <span class="kc">true</span> <span class="c1"># Very Important</span> <span class="na">script</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">yum install -y jq</span> <span class="c1"># Handshake with AWS IAM using OIDC token</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">ASSUME_ROLE_JSON=$(aws sts assume-role-with-web-identity \</span> <span class="s">--role-arn "$AWS_OIDC_ROLE_ARN" \</span> <span class="s">--role-session-name "BitbucketTestSession" \</span> <span class="s">--web-identity-token "$BITBUCKET_STEP_OIDC_TOKEN" \</span> <span class="s">--output json) </span> <span class="c1"># Activating session</span> <span class="pi">-</span> <span class="pi">|</span> <span class="s">export AWS_ACCESS_KEY_ID=$(echo "$ASSUME_ROLE_JSON" | jq -r '.Credentials.AccessKeyId')</span> <span class="s">export AWS_SECRET_ACCESS_KEY=$(echo "$ASSUME_ROLE_JSON" | jq -r '.Credentials.SecretAccessKey')</span> <span class="s">export AWS_SESSION_TOKEN=$(echo "$ASSUME_ROLE_JSON" | jq -r '.Credentials.SessionToken')</span> <span class="c1"># Verify the activated role</span> <span class="pi">-</span> <span class="s">aws sts get-caller-identity</span> </code></pre> </div> <p><strong>4.3 -</strong> Commit, push and validate the pipeline.<br> Push the <code>bitbucket-pipelines.yml</code> to repository.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git add bitbucket-pipelines.yml git commit <span class="nt">-m</span> <span class="s2">"ci: Add pipeline configuration"</span> git push origin main </code></pre> </div> <p>Head over to pipelines and trigger the custom pipeline manually.<br> [<a href="https://bitbucket.org/%5Bworkspace-name%5D/phub-oidc-check/pipelines" rel="noopener noreferrer">https://bitbucket.org/[workspace-name]/phub-oidc-check/pipelines</a>]</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F81gy8f2ztdxfwgyxrnsl.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F81gy8f2ztdxfwgyxrnsl.png" alt="Run custom pipeline" width="600" height="279"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpbphskecvsddpl0wxniy.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpbphskecvsddpl0wxniy.png" alt="Running pipeline" width="800" height="237"></a></p> <p>Finally, check the <code>aws sts get-caller-identity</code> sub step you should see the familiar <strong>OIDC role ARN</strong>.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw2lz7bavtco54d2gkj8w.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fw2lz7bavtco54d2gkj8w.png" alt="AWS STS" width="800" height="304"></a></p> <h2> Conclusion </h2> <p>By switching to OpenID Connect (OIDC), you have successfully eliminated long-lived, high-risk AWS credentials from your Bitbucket environment. Your pipeline now handles deployments using secure, short-lived tokens that rotate automatically with every single run.</p> <p>Safe deploying! 🚀</p> <p>If you are interested in deploying pipelines like this, you may check out my companion guide: <a href="https://dev.to/melcdn/automate-python-package-releases-semantic-release-aws-codeartifact-poetry-and-bitbucket-pipelines-95m">Automating Python Package Releases to AWS CodeArtifact via Bitbucket Pipelines</a>. In that article, we build right on top of this setup to configure automated version bumping, tagging, and secure package distribution.</p> <p>Salamat po 🇵🇭</p> bitbucket aws oidc cicd