I'm really interested in how teams are managing their Azure deployments directly from Bitbucket, especially since Bitbucket currently lacks OIDC support for Azure, unlike platforms like GitHub or GitLab. Specifically, I'm curious about a few things: How are you securely managing your Azure credentials within your pipelines? Are you using service principals along with client secrets or certificates? Have you found any creative workarounds or third-party tools to emulate federated identity or OIDC flows? Lastly, do you have any best practices or security considerations you could share regarding this setup? I'd love to hear how others are navigating this challenge.
4 Answers
Honestly, without OIDC, it's a hassle. You can technically exchange a Bitbucket OIDC token for Azure, but the subject claim issue makes it tough since Bitbucket generates a different subject for each pipeline step. It's a design flaw, really, as the subject should be consistent.
Implementing your own Identity Provider (IdP) is an option, but it comes with its difficulties. You'll need to set up logic for which pipelines can request tokens, expose this to Azure or Entra ID for verification, and integrate it with your pipelines. Definitely not a small task!
You can still use service principals, but you'll need to store the secrets in a way that your build agents can access them. Just remember, secrets need to be updated periodically, usually every two years. If your Azure pipeline runs on Azure, using a managed identity could simplify things a bit.
I manage credentials by using a secrets management tool, just as we did prior to this OIDC support being absent. However, for multiple repositories, it's a lot to handle. Rotating service principal secrets across pipelines means I have to make updates across all those repos, which can be cumbersome.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads