Bitbucket Pipeline Reports - Using API to create reports for a private repo with ip whitelist

Joseph June 29, 2021

Is it possible to use the Bitbucket Cloud API to create reports for a private repository that has an IP whitelist? I have a java app that runs in a pipeline which attempts to create a report and add annotations but I get whitelist errors. i.e.

{"type": "error", "error": {"message": "To access this commit, an admin must whitelist your IP."}}

 

I cannot add Bitbucket's IP addresses (https://support.atlassian.com/bitbucket-cloud/docs/what-are-the-bitbucket-cloud-ip-addresses-i-should-use-to-configure-my-corporate-firewall/)  to our whitelist because everyone with a bitbucket account and pipelines would have access to our repository.

Is there some form of a work around?

2 answers

0 votes
mkleint
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 6, 2021

There is no simple solution with the constraints you outlined I'm afraid.

Things to consider with IP whitelist is that even if you allow all pipelines IPs to the whitelist it does not automatically mean that anyone with a Pipelines build can access your repository, your build or your data in general. The usual authentication/permission limits apply.

A working solution that avoids adding pipelines IPs to the whitelist would require additional infrastructure on your side to facilitate the proper filtering.

1. a pipeline build would post the report API call to certain proxy website that you own and that is within the IP ranges allowed to contribute to the repository/workspace in question.

2. such a proxy would have to be accessible from the pipelines IP ranges and would require authentication with OIDC token we issue for individual steps running inside pipelines.

See https://support.atlassian.com/bitbucket-cloud/docs/integrate-pipelines-with-resource-servers-using-oidc/ intro into OIDC in bitbucket pipelines.

3. your proxy server would verify the token associated with the request and make sure your tokens coming from your repository/workspace/... are allowed to post.

4. if the verification is successful, the proxy would forward the request  to the bitbucket Reports API (and that should then work because it's the whitelisted range you defined before)

0 votes
Joseph July 1, 2021

Still looking for a work around for this, if anyone has any ideas

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events