39.8 CodeStar Connections: Linking GitHub and Bitbucket Repositories
Right, so you’ve got your beautiful, pristine code living in a GitHub or Bitbucket repository. It’s your baby. And now you want to deploy it using AWS’s suite of tools. The first instinct is to just hand over your username and password to AWS and call it a day. Don’t. That’s the old, horrifically insecure way, and frankly, we’re better than that. This is where CodeStar Connections saunters in, offering a far more elegant and secure solution. Think of it as giving AWS a very specific, limited-access key to your front door, instead of handing them your passport, social security number, and the deed to your house.
The “Why”: OAuth and IAM Are Your Friends
The core problem CodeStar Connections solves is authentication without sharing secrets. Instead of storing your personal GitHub/Bitbucket credentials in AWS (a cardinal sin), it uses either OAuth or an AWS-generated app password tied to an IAM role. This means you’re granting AWS permission to access your repositories, not giving them your keys. If you ever need to revoke that access, you do it in one place (IAM), and it’s instantly severed everywhere. It’s a clean, auditable, and secure handshake. The connection is also a regional resource, which is a quirky but important detail—if you set it up in us-east-1, your pipeline in us-west-2 can still use it, but you manage the connection itself in its home region.
Creating the Connection: The Console Magic Trick
The initial setup is one of those things that feels like magic the first time. You’ll navigate to CodeStar Connections in the AWS Console, hit “Create connection,” and choose your provider. Here’s the slick part: when you select GitHub, AWS will redirect you to GitHub.com, where you’ll authenticate yourself and authorize AWS CodeSuite to access your account. You can choose to grant access to all repositories or just specific ones. This is the OAuth flow, and it’s the recommended path for most users.
For Bitbucket or if you need more granular control (like using a machine user), you can use the “App password” method. You generate a long, complex password in your Bitbucket/GitHub settings, give it specific read/write permissions to your repos, and provide that to AWS. AWS still doesn’t store this password directly; it uses it once to establish the trust relationship and then manages access via IAM.
The console will show a status of “Pending” for a minute. Go make a coffee. When you come back, it should say “Available.” This means the handshake is complete. Behind the scenes, AWS has created a connection resource with a unique ARN. That ARN is your golden ticket.
The Infrastructure-as-Code Way: AWS CloudFormation
You’re not clicking around in the console for something this foundational, are you? Of course not. We define our infrastructure in code. Here’s how you create a CodeStar connection using CloudFormation. Note the Catalog property—it’s a bit odd, but it’s essentially a namespace for your connection type.
Resources:
MyGitHubConnection:
Type: AWS::CodeStarConnections::Connection
Properties:
ConnectionName: my-awesome-github-connection
ProviderType: GitHub
# Tags are your friend for managing costs and resources
Tags:
- Key: Project
Value: SuperSeriousApp
Now, here’s the kicker: the CloudFormation resource only creates the connection object. It cannot complete the OAuth handshake for you. The status will be “PENDING” until a human (yes, you) goes into the AWS Console and authorizes it. This is the one rough edge; it’s not fully automatable for a greenfield setup without some serious scripting gymnastics involving the CLI. Once it’s authorized the first time, however, you can use the ARN everywhere.
Using the Connection in Your CodePipeline
This is the payoff. In your CodePipeline definition, whether in the console, CLI, or CloudFormation, you reference the connection ARN instead of providing direct repository credentials. Here’s the critical part of a Pipeline CloudFormation template.
Resources:
AppPipeline:
Type: AWS::CodePipeline::Pipeline
Properties:
RoleArn: !GetAtt PipelineRole.Arn
Stages:
- Name: Source
Actions:
- Name: SourceAction
ActionTypeId:
Category: Source
Owner: AWS
Provider: CodeStarSourceConnection
Version: '1'
Configuration:
ConnectionArn: !GetAtt MyGitHubConnection.ConnectionArn
FullRepositoryId: my-github-username/my-repo-name
BranchName: main
# This is important for triggering builds on push
DetectChanges: true
OutputArtifacts:
- Name: SourceOutput
RunOrder: 1
The Provider: CodeStarSourceConnection is the key here. It tells Pipeline, “Hey, go use that secure connection we set up instead of asking for a username and password.”
The Gotchas: Where They Get You
- The Initial Authorization: As mentioned, the first-time OAuth handshake is a manual step. You can’t bootstrap a brand-new AWS account and a brand-new connection entirely from code without jumping through some hoops.
- Region Quirks: You create the connection in one region, but you use its ARN globally. Just remember where you created it for management purposes.
- Permission Scoping: When you authorize via OAuth for GitHub, you authorize for your entire account. If you chose “All repositories,” any pipeline in any AWS account that has that connection ARN can access any of your repos. This is a terrifyingly broad permission. Always, always choose “Only select repositories” and specify exactly the repo your pipeline needs. The App Password method is inherently more granular.
- Updates Require Repointing: If you change the repository or branch in the connection configuration, CodePipeline doesn’t always seamlessly detect it. You may need to manually trigger a pipeline execution to get it to grab the latest commit from the new target.
It’s not perfect, but it’s a world apart from the bad old days of credential leakage. You get a secure, auditable, and reusable link between your code and your cloud, and that’s a win.