Introducing the Conjur Bitbucket Pipe

Introduction

At CyberArk, we’re always trying to find ways to make it easier for developers to securely manage secrets wherever their code runs. That’s why we’re excited to introduce the Conjur Bitbucket Pipe! This integration allows CI pipelines that run in Bitbucket Cloud to easily retrieve secrets from Conjur for use in their builds and deployments.

What is the Conjur Bitbucket Pipe?

The Conjur Bitbucket Pipe is a new integration that allows you to connect your Bitbucket Cloud pipelines to Conjur. It works by authenticating with Conjur using the Bitbucket secure OIDC token, which means there’s no need to store any Conjur credentials in your Bitbucket repository. This reduces the risk of credential exposure and simplifies secret management, allowing teams to focus on delivering code without worrying about managing or rotating sensitive credentials. The integration provides a simple way to retrieve secret values stored in Conjur OSS, Conjur Enterprise, or Conjur Cloud so they can be used by your CI/CD pipelines.

How can I use it?

Pre-requisites

To use the Conjur Bitbucket Pipe, you need to have:

• A Bitbucket Cloud account
• A Bitbucket repository with a pipeline configured
• A Conjur OSS, Conjur Enterprise, or Conjur Cloud account

Configure Authentication

Before you can use the pipe, you need to configure authentication between Bitbucket and Conjur. This is done by creating a Conjur policy that allows the Bitbucket pipeline to authenticate using the OIDC token. Here’s an example:

# Create the authenticator 

- !policy 

  id: conjur/authn-jwt/bitbucket 

  body: 

    - !webservice 

    - !variable provider-uri 

    - !variable token-app-property 

    - !variable identity-path 
   
    - !group authenticatable 

    - !permit 

      role: !group authenticatable 

      privilege: [ read, authenticate ] 

      resource: !webservice 

# Create hosts for your Bitbucket pipelines 

- !policy 

  id: bitbucket-pipelines 

  body: 

    - !group 

    - &hosts 

      - !host 

# Replace this with your repositoryUuid. You must include the curly braces and double quotes! 

        id: "{<bitbucket-repository-uuid>}"

        annotations: 

          authn-jwt/bitbucket/repositoryUuid: "{<bitbucket-repository-uuid>}" # Replace this as well 

# Add more hosts here for other Bitbucket repositories if needed 
  
     - !grant 

      role: !group 

      members: *hosts 

# Create some secrets for the pipelines to use 

    - &variables 

      - !variable username 

      - !variable password 
  
# Allow the pipelines to read the variables 

    - !permit 

      role: !group 

      privilege: [ read, execute ] 

      resource: *variables 

# Add the pipelines to the group that can authenticate using authn-jwt/bitbucket 

- !grant 

  role: !group authn-jwt/bitbucket/authenticatable 

  members: !group bitbucket-pipelines 

After loading this policy into Conjur, add values for the authenticator variables:

# Replace `<workspace-name>` with your Bitbucket workspace name
 conjur variable set -i conjur/authn-jwt/bitbucket/provider-uri -v "https://api.bitbucket.org/2.0/workspaces/<workspace-name>/pipelines-config/identity/oidc"

conjur variable set -i conjur/authn-jwt/bitbucket/token-app-property -v "repositoryUuid" 

# This is the path in the Conjur policy where the Bitbucket pipeline hosts are defined 

conjur variable set -i conjur/authn-jwt/bitbucket/identity-path -v "bitbucket-pipelines" 

Now Conjur is ready to authenticate your Bitbucket pipelines!

Using the Pipe in Your Pipeline

To use the Conjur Bitbucket Pipe in your pipeline, you can add it to your bitbucket-pipelines.yml file like this: 
- step: 
  name: 'Retrieve secrets from Conjur' 
  oidc: true # This instructs Bitbucket to use provide OIDC credentials to the Pipe 

  script: 

    - pipe: cyberark-conjur/conjur-bitbucket-pipe:0.0.8 

      variables: 

        CONJUR_URL: 'https://<your-conjur-url>' 

        CONJUR_ACCOUNT: '<your-conjur-account>' # Defaults to 'conjur' 

        CONJUR_SERVICE_ID: 'bitbucket' # Service ID of the JWT Authenticator in Conjur. Defaults to 'bitbucket' 

        SECRETS: 'bitbucket-pipelines/username,bitbucket-pipelines/password' # Comma-separated list of Conjur variable IDs 

    - . ./.secrets/load_secrets.sh # This command loads the secrets into environment variables 

 # Now you can access the secrets as environment variables 
 # For example, 

    - curl -u $username:$password https://some-api.example.com/resource

You can see the full documentation, including advanced usage options, on our GitHub repository.

Conclusion

The Conjur Bitbucket Pipe makes it easy to securely manage secrets in your Bitbucket Cloud pipelines. By using OIDC authentication, you can avoid storing Conjur credentials in your repository, and you can easily retrieve secrets from Conjur for use in your builds and deployments. We hope this integration helps you streamline your CI/CD workflows while keeping your secrets secure. If you have any questions or feedback, please feel free to reach out to us on our GitHub repository or CyberArk Community. Happy coding!

Shlomo Heigh

Shlomo is a staff software engineer at CyberArk working on Conjur Secrets Manager. He’s an open source and AppSec enthusiast, a member of the CNCF TAG Security and a contributor to multiple OWASP projects. In his free time, you can find him spending time with his wife and daughter, 3D printing, woodworking or hiking.