Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Can an app password be scoped to a team?

sneko
sneko March 15, 2022

Hi,

To easily manage repositories from Jenkins (with multi-branch) I have to give access to a Bitbucket account to be able to list all repositories and so on.

For now the only solution is to use a pair of "username+password". To make things secure I use an app password with only "read roles" so nothing stupid can be done. Until here, it works well.

But my main concern is I'm using my personal Bitbucket account to manage multiple "teams/workspaces" into Bitbucket. So when creating an app password to enter it in my company Jenkins... if a Jenkins admin tries to change the "owner" of the pipeline it will see listed all my personal repositories for example (this is possible by using my personal username instead of the team username).

In this case an other Jenkins admin (who I can trust... but there are limits!) is able to see all my personal stuff. And if smart, could create a fake pipeline just to list the content of all the files inside.

After looking around, it seems there is no way to scope the app password to the team... if I'm right, what the heck is doing Atlassian to not provide this kind of secure feature? Nobody wants to have a bitbucket account per team...

 

Thank you,

 

Related post: https://community.atlassian.com/t5/Bitbucket-questions/How-do-I-generate-an-App-password-for-a-team-so-that-I-can-copy/qaq-p/689922?tempId=eyJvaWRjX2NvbnNlbnRfbGFuZ3VhZ2VfdmVyc2lvbiI6IjIuMCIsIm9pZGNfY29uc2VudF9ncmFudGVkX2F0IjoxNjQ3MzUxMzExMjc2fQ%3D%3D

Answer
Watch
Like Be the first to like this
298 views

1 answer

0 votes
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 16, 2022

Hello @sneko ,

Thank you for reaching out to Atlassian Community.

If I understand it correctly, you would like to scope your app password to a given workspace. I'm afraid this is currently not possible , as the app passwords is attached the user's personal account, and when authenticating with Bitbucket, it represents that user account where it was created.

I understand that using the app password of your account in the Jenkins settings might be a security issue, as it also allows it to access your personal repositories, and to mitigate that I would have the following suggestions :

  • Create another bitbucket account, like jenkins@mydomain.com, to serve as a "service" account  used by your CI/CD solution to authenticate with Bitbucket. You can give this account group access or direct access only to the repositories it really needs to interact with. Then, you can set your Jenkins configuration to use the username and App Password of this "service" account to authenticate with Bitbucket.
  • Another option would be to not authenticate with HTTPS, and use SSH instead. You can create an SSH key pair, with a public and private key, and configure your Jenkins to use that private key when authenticating. Then, you can add the public key as an access key directly either on the workspace, project, or repository level, depending on how granular control over the access you want to implement. With this approach, the key is not linked to any bitbucket user and will only have read access to the repositories you have it added (or inherited in case you add it to the workspace or project level). We have de following documentation with steps on how to setup that :

Hope that helps. Let us know in case you have any further questions.

Thanks, @sneko 

Kind regards,

Patrik S

View More Comments
sneko
sneko March 24, 2022

Hi @Patrik S ,

Thank you for answering :)

1) I already thought about this, that's a possibility. Just feeling weird to pay for a user just for a question of scope access. Having app passwords also for the workspace (or service accounts) would be really helpful.

2) Yes a SSH key can help to read repositories, but inside Jenkins connecting a real Bitbucket user (so through HTTPS) helps with UI flows (listing repositories, seeing PRs... and this is not possible with an SSH key)

Like
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 25, 2022

Hey @sneko ,

I definitely understand your point, and the fact that for your use-case a service account or app passwords scoped for the workspace would be the best solution.

Unfortunately those options are currently not possible in Bitbucket Cloud, but we do already have a feature request opened to implement the concept of service accounts on Bitbucket, which I think would meet your requirements. You can take a look on that feature request by accessing the following link :

I would suggest you to add your vote there, since this helps both developers and product managers to understand the interest. Also, make sure you add yourself as a watcher in case you want to receive first-hand updates from that ticket. Please note that all features are implemented with this policy in mind: https://confluence.atlassian.com/support/implementation-of-new-features-policy-201294576.html

Thank you @sneko .

Kind regards,

Patrik S

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events