The Bitbucket CodeDeploy add-on can access your Bitbucket and AWS accounts. This document explains how we use these credentials in our add-on.

Bitbucket

The add-on requires repository read permission. However, we do not store a copy of your repository on our servers.

When you choose to deploy a branch or pull request or commit, we download the source code (as a zip file) for that specific commit id only. This zip file is minimally processed on our servers to meet CodeDeploy norms, and is then immediately uploaded to an AWS S3 bucket that you specify and control. The temporary zip file on our servers is immediately deleted.


AWS

We follow AWS best practices for third party apps - viz. using IAM roles, the AssumeRole API and ExternaID. This means that you do not have to share your credentials with us. When you choose to deploy a build, we use our AWS credentials and assume the role you have created for our use. This gives us temporary access to you AWS account.

We make the following calls on your behalf -

Note that the add-on does not delete build files from S3.

The role you provide us may have additional permissions, but the add-on will not use them. These additional permissions may be used indirectly by the CodeDeploy scripts you write and execute as part of your deployment process.

You can audit the API calls we make using AWS cloud trail. Requests from our add-on will show up with the session name "Bitbucket-CodeDeploy-Add-On" in the logs.


Database

Our database maintains the following -

Security

The add-on is hosted on AWS, and uses industry standard security practices.