The Bitbucket CodeDeploy add-on can access your Bitbucket and AWS accounts. This document explains how we use these credentials in our add-on.
The add-on requires repository read permission. However, we do not store a copy of your repository on our servers.
When you choose to deploy a branch or pull request or commit, we download the source code (as a zip file) for that specific commit id only. This zip file is minimally processed on our servers to meet CodeDeploy norms, and is then immediately uploaded to an AWS S3 bucket that you specify and control. The temporary zip file on our servers is immediately deleted.
We follow AWS best practices for third party apps - viz. using IAM roles, the AssumeRole API and ExternaID. This means that you do not have to share your credentials with us. When you choose to deploy a build, we use our AWS credentials and assume the role you have created for our use. This gives us temporary access to you AWS account.
We make the following calls on your behalf -
Note that the add-on does not delete build files from S3.
- Upload source files to an S3 bucket you specified
- Create a new deployment in CodeDeploy under the specified application and deployment group
- Read list of S3 buckets, list of CodeDeploy applications and deployment groups
- Fetch status of AWS CodeDeploy deployments
- Fetch logs for a given deployment
The role you provide us may have additional permissions, but the add-on will not use them. These additional permissions may be used indirectly by the CodeDeploy scripts you write and execute as part of your deployment process.
You can audit the API calls we make using AWS cloud trail. Requests from our add-on will show up with the session name "Bitbucket-CodeDeploy-Add-On" in the logs.
Our database maintains the following -
Bitbucket add-on specific fields - this includes a shared secret between the add-on and Bitbucket, which enables us to make API calls on your behalf
For each repository you configure, we store the AWS IAM role arn that you provide
For each deployment you trigger, we store the deployment id, status and some other tracking information.
The add-on is hosted on AWS, and uses industry standard security practices.
- HTTPS throughout
- AWS RDS to manage our database
- Application is hosted on AWS elastic beanstalk
- We use VPC to ensure traffic is isolated from other AWS users