Announcement: Bitbucket Cloud account password usage for Git over HTTPS and API ending March 1, 2022

282 comments

Alexander Higgins March 1, 2022

Let me bump the other comments about receiving a warning email 24 hours before and only seeing it the day off.

Now, I have I created a new app password and set it in our Team City Server Self Host and it is complaining it is unauthorized.



Test connection failed in SalesReports / Build
org.eclipse.jgit.errors.TransportException: https://bitbucket.org/{projectName}/salesreports.git: not authorized

Even worse we have to update credentials on our build servers, agents, and all custom CI/CD apps integrated into our pipeline and all client machines that have GIT install.

For what? I don't see any security benefit here. In fact it is the opposite. App password a statically generated 20 character alpha-numeric with NO special characters. Furthermore, they are static and cannot be changed, in the event they are eventually compromised, and they will be.

The permissions also cannot be changed and since many people will be repeatedly use them throughout their organization, which increases the possibility end users will store plaintext password stored in multiple locations from each client that needs the credentials, like in config files. Also since the permissions are immutable once created default choice will be to give the app password full permissions to everything.

Let's not even take about how they won't be forward compatible with new features. Instead user will be directed to recreate new app password with the new permissions included. 


Like # people like this
Alexander Higgins March 1, 2022

Niether the APP password or SSH setup are working to authentication from Team City .Both fail with 

not authorized

The SSH instructions state the key must be confirmed by email but that hasn't come after trying to create two different keys. (Yes my email is configured, I get Atlassian emails including notifications about this thread).

Meanwhile Settings say the SSH key was never used despite numerous not authorized connection attempts and the app password has no timestamp for last access time.

Marc Reig March 1, 2022

Not the same problems as @Alexander Higgins

but really close on desesperation!

 

It makes no sense what you have done here. And if I achieve to re-sync shared projects, still to re-config all CI/CD environtments, Github desktops, etc...

 

I think you've rushed on here, and made it wrong having to rollback.

 

Don't understand why I can keep using my Atlassian user/pwd pair to sync my projects but don't the shareds. And full rights APP Password for me, does the same, and do not work on shareds too. But even repository author of those shareds created an APP Password and those are not useful too! Those credentials (atlssian pair and app password) do not let you sync those shared projects!

 

I've tried to re-CLONE (via CMD) on a test folder on my desktop with MY atlasian pair credentials, introduced when promted, one of those shared projects on the DEVELOP branch, and everything work fine! So they work for clone as it seems...

David Dansby
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 1, 2022

@Marc Reig have you tried any Git ops (i.e. push/pull/clone) without GitHub Desktop  (just using terminal instead) for those shared projects to see if it works fine without GitHub Desktop? 

David Dansby
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 1, 2022

@Renee Dubuc you can find more details about app password perm scopes in our API documentation. These are the same perm scopes used for app passwords.

https://developer.atlassian.com/cloud/bitbucket/bitbucket-cloud-rest-api-scopes/

I've added this to the main post as well.

Thank you.

Like Renee Dubuc likes this
Mrunmayee Prakash Shirodkar March 1, 2022

@David Dansby I have an app password but I am unable to commit using SourceTree. In my SourceTree app, under authentication, it shows Authentication: OK. But when I try to push the changes it gives me the below error. Is there anything else I need to do?

 

git -c diff.mnemonicprefix=false -c core.quotepath=false --no-optional-locks push -v --tags origin branch:branch
remote: Bitbucket Cloud recently stopped supporting account passwords for Git authentication.
remote: See our community post for more details: https://atlassian.community/t5/x/x/ba-p/1948231
remote: App passwords are recommended for most use cases and can be created in your Personal settings:
remote: https://bitbucket.org/account/settings/app-passwords/
fatal: Authentication failed for 'https://bitbucket.org/user/app.git/'

Like # people like this
David Dansby
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 1, 2022

@Mrunmayee Prakash Shirodkar if you are still receiving this error in Sourcetree then Sourcetree is still using your account password, not your new app password. Without knowing more, I can only guess a solution.

However, you most likely need to change the password that Sourcetree is using. I believe you can do this by

  1. navigating to Preferences/Settings -> Accounts
  2. Select Bitbucket Cloud account in question and hit edit
  3. Change the password to your new app password and then save
Mrunmayee Prakash Shirodkar March 1, 2022

@David Dansby I am using Windows and I have updated my password to app password under Tools -> Options -> Authentication and it shows Authentication: OK. Followed this: App passwords | Bitbucket Cloud | Atlassian Support

 

Capture 2.PNG

 

Update: I was able to connect using SSH but I still can't connect using App Password. I would really appreciate if you could help provide solution.

Grzegorz Ostrowski March 1, 2022

It doesn't work. I created App Password with full scope. I deleted account in source tree and added new one with basic authentication and app password. I get Authentication ok check. And then when I try fetch branch i get error that I have to create App Password. So what I have to do?

Like # people like this
4dmacau March 1, 2022

Hi, I am using Sourcetree 3.4.7 and found out today that I can not push to Bitbucket for my project. I have been committing my projects almost 3 to 4 times every day and the last time was yesterday.
I tried to use Authentication "Basic" with an app password that I just created and the green check Authentication OK is there. But I still receive the following error message:

git -c diff.mnemonicprefix=false -c core.quotepath=false --no-optional-locks -c lfs.customtransfer.bitbucket-media-api.path=git-lfs-bitbucket-media-api push -v --tags origin master:master
remote: Bitbucket Cloud recently stopped supporting account passwords for Git authentication.
remote: See our community post for more details: https://atlassian.community/t5/x/x/ba-p/1948231
remote: App passwords are recommended for most use cases and can be created in your Personal settings:
remote: https://bitbucket.org/account/settings/app-passwords/
fatal: Authentication failed for 'https://bitbucket.org/XXXXX.git/'

What should I do to make my Sourectree app work with Bitbucket again?

Like # people like this
4dmacau March 1, 2022

I successfully pushed to Bitbucket for my project after doing the following:

1) Uninstall Sourcetree

2) Delete these 2 folder:

- C:\Users\USERNAME\AppData\Local\Atlassian\

- C:\Users\USERNAME\AppData\Roaming\Atlassian\

3) Reinstall Sourcetree

Funny fact to me is that 2 of my teammates can pull and push fine without doing anything after I struggled for an hour.

Like # people like this
Marc Reig March 2, 2022

@David Dansby yes, at the end of previous post I was precisely saying this.

 

I did a CLONE on to a separate folder with my atlassian pair credentials of one of the shared projects via CMD.

But using NO app password at all. Atlassian credentials only.

As I do not have GIT installed properly, I usually do something like:

C:\Users\XXXXXXXXXXXXX\AppData\Local\GitHubDesktop\app-2.9.10\resources\app\git\cmd\git.exe clone -b develop https://USERXXXXXXXXX@bitbucket.org/XXXXXXXXXXXXX/XXXXXXXXXXX.git C:\Users\XXXXXXXXXX\Desktop\XXXXXXXXXXXX\XXXXXXXXXXX

and inmediatly an small windows appears askig for ATLASSIAN user/password credenctials. Wrote'em, and everything start to sync smoothly.

 

So it seems it can login through Bitbucket normally, via CMD. So GiutHub Desktop team says it's not their fault, since everything was working until your changes.

 

So what?

Like simone_gasparella likes this
Beneris March 2, 2022

I have phpstrom, this is not working at all
trying to setup GPG key, but can't find place tyo add this key to bitbucket, can some one provide link to it or explain hot to fix this

Fabio Goncalves March 2, 2022

For me it solved using the guidelines of this article:

https://www.itsolutionstuff.com/post/how-to-change-github-remote-from-https-to-sshexample.html

 

you can check which remote url now available in your project by using bellow command: 

git remote -v

 

it will give you layout like as bellow:

origin http://github.com/{USERNAME}/{PROJECTNAME}.git (fetch)

origin http://github.com/{USERNAME}/{PROJECTNAME}.git (push)

 

now you can change by using following command:

Change Remote from HTTPS to SSH:

git remote set-url origin git@github.com:{USERNAME}/{PROJECTNAME}.git

Like Sabragen likes this
David Dansby
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 2, 2022

@4dmacau thank you very much for that great update about how to resolve this issue. Can I ask, are you on a Windows machine? Also, were your two teammates that didn't have this issue using Mac?

Thanks again

David Dansby
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 2, 2022

@Fabio Goncalves thanks for the suggestion. Unfortunately, that only pushes the auth protocol for Git to use SSH (which does not require an app password). For various reasons, a number of our users prefer to use HTTPS for authentication which now requires an app password, not an Atlassian account password, to authenticate with Bitbucket Cloud. 

David Dansby
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 2, 2022

@Beneris unfortunately, Bitbucket Cloud does not have signed commits. You can still sign your commits, but unfortunately, you cannot add them to your Bitbucket Cloud account. For reference please see https://jira.atlassian.com/browse/BCLOUD-3166

Alexander Higgins March 2, 2022

FYI: For those looking to answers for issues similar to mine.

SSH - Something went wrong on Atlassian's end entering the SSH key. During my call with support deleting the key in account settings and recreating it resolved that issue.

HTTPS - I was previously able to connect using the email associated with my Atlassian account which was `firstName.lastName@myCompanyDomain.com`. This does not work for app passwords with https . You need to use the username which shows in settings under your Atlassian account.

Additionally be GIT URL needed to be updated correctly.

For HTTP- https://[AtlassianUserName]@bitbucket.org/[WorkSpace]/[RepositoryName].git
For SSH - git@bitbucket.org:[WorkSpace]/[RepositoryName].git

And a finally caveat: I was integrating with a Team City CD pipeline and initially updated all builds to use SSH, because that was the first thing we could get to work, while we were using different tooling (a custom gitversion) that attempted to connect using HTTPS. This did not work. Initially cloning/checking out the repository associates the GIT repo with a URL (either HTTP or SSH) which must be used thereafter.

Hope this helps.

Like David Dansby likes this
David Dansby
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 2, 2022

Thank you @Alexander Higgins !!!!

Marc Reig March 3, 2022

This morning, in my case, I can't use Atlassian pair user/pwd on Github Desktop to sync my projects. It doesn't work. I had to use an App password and it started to run normally again. So something changed on Bitbucket side, I guess...

 

Seen that, I thought that maybe the real problem, the shared ones, would be gone! But my condolences...

It's a NO!

 

So I still like I was...

Marc Reig March 3, 2022

I'm on this Github Desktop issue:

 

https://github.com/desktop/desktop/issues/14052

 

Some examples I've provided there.

Marc Reig March 3, 2022

Ok! Solved!

Basically:

- Completly close Github Desktop and developing GUI. Everything releated.
- Delete all bitbucket related credentials from Windows "keychain".
- Delete entire shared projects folders from my local (not mine projects, only shared ones). Or save on to diferent paths away, if you need to recuperate some made code changes. But be sure the folders are not were they used to be anymore.
- Open Github desktop and travel to shared projects. It says they're removed and asks for removing from Github Desktop. Accept removing all of'em.
- On to Github Desktop, go to one of your own projects and re-sync (fetch button). It's going to ask for credentials. Write your Atlassian USER, the one appearing on bitbucket personal page. NOT the mail, but the user AS-IS. You need to have an APP Password created with ALL permisions set. All the checks you can check, do it. Save the token received on App password creation, and use it on GitHub Desktop login prompt.
- It normally syncs and everything works as expected. So now, it's shared projects turn.
- Forget GitHub desktop. Open CMD an do a CLONE of those removed project, with the APP password and atlassian user on it, like this: `C:\Users\*******\AppData\Local\GitHubDesktop\app-2.9.10\resources\app\git\cmd\git.exe clone -b develop https://ATLASSIANUSER:APPPASSWORD@bitbucket.org/*******/*******.git C:\PATH\TO\FOLDER\WHERE\REMOVED`
- Everything is going to get on place. And then, back to GitHub Desktop, you need to manually add the project through ADD button and selecting "Add existing repository". Choose your recent cloned path and voilà!
- You're free to sync, push, pull or whatever is needed.

Drastic solution, but functional one.

Now I have to resolve piplines to AWS, which are failing on the last part of the deployment with a:
`INFO: Deployment created with id xxx.
INFO: Waiting for deployment to complete.
aws deploy wait deployment-successful --deployment-id xxx
Waiter DeploymentSuccessful failed: Waiter encountered a terminal failure state
ERROR: Deployment failed. Fetching deployment information...
...
"errorInformation": {
"message": "The overall deployment failed because too many individual instances failed deployment, too few healthy instances are available for deployment, or some instances in your deployment group are experiencing problems.",
"code": "HEALTH_CONSTRAINTS"
}, `
don't even know why...

Marc Reig March 3, 2022

Ok! About pipelines, solved too.
Found the error on Bitbucket CI/CD pipelines. Releated with instance health.
Found the error on google. Ask to look at AWD console on CodeDeploy movements and search fo the details on errors there appearing.
All google searches say: look at the service on the AWS instance running. Be sure its ready and running.
It is. They say: look at the logs! I do and found something releated with ssl, ruby, permisions, yada yada...
Search the error and a guy says: I usually solve this simply restarting the CodeDeploy service on the instance.
Said and done. All works back to normal now.

So for me, all done. Struggling travel, happy end.

ckraft March 3, 2022

@beef623 
Have you thought about encrypting your SSH keys?

It's just a keystroke away. Then it wouldn't be less secure to transfer them to other machines, you'd just have to type in your password when using them or once to add them to the SSH agent.

Jon Mckeever March 3, 2022

Has this taken effect?  I was looking into this today, and noticed all my Git pulls for my repos are still working without switching to an App password.  our scripts are using a bitbucket.org user name that is separate from the email address we use to log into bitbucket (ie.  sampleguy@company.com to log into the site, but just "sampleguy" to pull repos)

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events