Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting 403 from Bitbucket Server Webhook test #6

Closed
Marakai opened this issue Feb 11, 2020 · 3 comments
Closed

Getting 403 from Bitbucket Server Webhook test #6

Marakai opened this issue Feb 11, 2020 · 3 comments

Comments

@Marakai
Copy link
Contributor

Marakai commented Feb 11, 2020

Having successfully installed the stack, I configured the webhook in Bitbucket server.

The URL is something along
https://123456789.execute-api.ap-southeast-2.amazonaws.com/prod/

I set the secret/password to what I set in the configuration file (hard to get wrong as BB displays it in cleartext...).

Clicking Test Connection I get a 403 and it seems to come from the API Gateway as I see no Cloudwatch logs that indicate the Lambda triggered.

Looking at what Bitbucket sent and received I unfortunately only get:

Request details
Event type:Test connection event
URL endpoint:https://123456789.execute-api.ap-southeast-2.amazonaws.com/prod/
Headers

X-Event-Key: diagnostics:ping
X-Request-Id: 9cfdecbc-d891-4185-b2d3-a167c57b4dbb
Content-Type: application/json

Body

{"test": true}

And

Response details
HTTP status:403
Headers

x-amz-apigw-id: HtfLdEb1SwMFplw=
Server: Server
Connection: keep-alive
x-amzn-RequestId: e87fd1b8-4015-4edf-abb1-05ddad3cdf7b
x-amzn-ErrorType: ForbiddenException
Content-Length: 23
Date: Tue, 11 Feb 2020 02:32:41 GMT
Via: 1.1 localhost (Apache-HttpClient/4.5.5 (cache))
Content-Type: application/json

Body

{"message":"Forbidden"}

I have no other API GW logs as it's not configured and I don't have the permissions to do so. Making it somewhat hard to determine why the correct mutual secret would cause an issue. Then again, that should be a 401. As far as I can see, the template "comes with" all required IAM permissions, so it seems strange to get a 403.

Testing directly at the API GW level shows the the Lambda is being triggered, though lack of a complete sample event in the repo for testing in the AWS API Gateway console. Using merely the Atlassian sample payloads is incomplete and will fail at the normalisation stage with the Lambda returning a 500. Of course this also bypasses authentication entirely, so isn't really useful.
@Marakai
Copy link
Contributor Author

Marakai commented Feb 11, 2020

Additional information:

Connection is VPC to VPC with TGW configured routes and the source VPC having execute-api endpoints configured.

@Marakai
Copy link
Contributor Author

Marakai commented Mar 2, 2020

We are now testing the recently updated https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-vpc-connections/ as it matches our setup and see if that resolves the issue.

@alexfrosa
Copy link
Contributor

Hi @Marakai was the issue resolved?

@Marakai Marakai closed this as completed Sep 29, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alexfrosa @Marakai