Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,553,173
Community Members
 
Community Events
184
Community Groups

How do I get Bamboo Specs to use Azure Keyvault for fetching secret variables?

Edited
Dakota Brown
Dakota Brown Jun 06, 2018

I have a Bamboo Specs repo that uses Azure KeyVault for fetching a few variables (passwords) used by build/deploy jobs. 

I'm curious if anyone knows a way around the Access Control Exceptions

[ERROR] Failed to execute goal com.atlassian.bamboo:bamboo-specs-runner:6.5.0:run (default-cli) on project bamboo-specs-generator: Execution default-cli of goal com.atlassian.bamboo:bamboo-specs-runner:6.5.0:run failed: access denied ("java.net.NetPermission" "getProxySelector") -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal com.atlassian.bamboo:bamboo-specs-runner:6.5.0:run (default-cli) on project bamboo-specs-generator: Execution default-cli of goal com.atlassian.bamboo:bamboo-specs-runner:6.5.0:run failed: access denied ("java.net.NetPermission" "getProxySelector")
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:213)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:154)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:146)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:117)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:81)
	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:128)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:309)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:194)
	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:107)
	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:993)
	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:345)
	at org.apache.maven.cli.MavenCli.main(MavenCli.java:191)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: org.apache.maven.plugin.PluginExecutionException: Execution default-cli of goal com.atlassian.bamboo:bamboo-specs-runner:6.5.0:run failed: access denied ("java.net.NetPermission" "getProxySelector")
	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:145)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:208)
	... 20 more
Caused by: java.security.AccessControlException: access denied ("java.net.NetPermission" "getProxySelector")
	at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
	at java.security.AccessController.checkPermission(AccessController.java:884)
	at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
	at com.atlassian.bamboo.specs.maven.sandbox.AbstractThreadPermissionVerifier.checkPermission(AbstractThreadPermissionVerifier.java:18)
	at com.atlassian.bamboo.specs.maven.sandbox.BambooSpecsSecurityManager.checkPermission(BambooSpecsSecurityManager.java:37)
	at java.net.ProxySelector.getDefault(ProxySelector.java:94)
	at okhttp3.OkHttpClient$Builder.<init>(OkHttpClient.java:425)
	at com.microsoft.azure.AzureServiceClient.<init>(AzureServiceClient.java:25)
	at com.microsoft.azure.keyvault.KeyVaultClientImpl.<init>(KeyVaultClientImpl.java:203)
	at com.microsoft.azure.keyvault.KeyVaultClientImpl.<init>(KeyVaultClientImpl.java:193)
	at com.microsoft.azure.keyvault.KeyVaultClient.<init>(KeyVaultClient.java:179)
	at com.hiscox.plan.Default.<init>(Default.java:28)
	at com.hiscox.plan.DockerComposeCommon.<init>(DockerComposeCommon.java:35)
	at com.hiscox.plan.DockerComposeCommon.<init>(DockerComposeCommon.java:40)
	at com.hiscox.PlanSpec.main(PlanSpec.java:22)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at com.atlassian.bamboo.specs.maven.sandbox.SpecsRunner.callMainMethod(SpecsRunner.java:95)
	at com.atlassian.bamboo.specs.maven.sandbox.SpecsRunner.runSpecsInternal(SpecsRunner.java:76)
	at com.atlassian.bamboo.specs.maven.sandbox.SpecsRunner$$Lambda$13/1222908765.get(Unknown Source)
	at com.atlassian.bamboo.specs.maven.sandbox.SecureMethodInvoker.lambda$invokeInternal$0(SecureMethodInvoker.java:34)
	at com.atlassian.bamboo.specs.maven.sandbox.SecureMethodInvoker$$Lambda$14/1331644236.run(Unknown Source)
	at java.lang.Thread.run(Thread.java:745)

 Edit:

 

bamboo 6.5

I see documents reference a Enable secure Specs processing setting but I'm not seeing it in Security settings

Reference: https://confluence.atlassian.com/bamboo/repository-stored-bamboo-specs-security-938844473.html

 

Answer
Watch
Like Be the first to like this
570 views

1 answer

1 vote
Boris Van Hardeveld
Boris Van Hardeveld
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
May 14, 2020 • edited

@Dakota Brown not sure if this would still help you in any way given the time since your question, but it might help others.

I don't know much about your context, but it seems to me your Bamboo installation is running Tomcat (i.e. Catalina) in security mode (have a look at the bin/catalina.sh file in your installation directory, where security mode is selected). When this is the case, the security policies as defined in the file conf/catalina.policy are in place.

Your Bamboo specs are being executed by the bamboo specs runner (see jar at https://mvnrepository.com/artifact/com.atlassian.bamboo/bamboo-specs-runner/6.5.0) in some kind of sandbox environment. Your dependency on the Azure Key Vault triggers network communication from bamboo-specs-runner-6.0.5.jar, for which I cannot find an exception in catalina.policy, hence the exception.

So the solution would be to adjust the catalina.policy file and include the following permission:

permission java.net.NetPermission "getProxySelector";

For bamboo-specs-runner-6.0.5.jar.

Mind that I did not try this and I'm not an expert on Catalina security policies.

As an alternative, there is now a plugin (note that I am the author!) which avoids the need to fetch secret variables from your specs, it rather resolves them at build and deploy time by reference. See https://marketplace.atlassian.com/apps/1221965/secret-managers-for-bamboo

Reply

Suggest an answer

Log in or Sign up to answer
Bamboo
Bamboo
TAGS
AUG Leaders

Atlassian Community Events

See all events