Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,463,020
Community Members
 
Community Events
176
Community Groups

Can an app password be scoped to a team?

Edited

Hi,

To easily manage repositories from Jenkins (with multi-branch) I have to give access to a Bitbucket account to be able to list all repositories and so on.

For now the only solution is to use a pair of "username+password". To make things secure I use an app password with only "read roles" so nothing stupid can be done. Until here, it works well.

But my main concern is I'm using my personal Bitbucket account to manage multiple "teams/workspaces" into Bitbucket. So when creating an app password to enter it in my company Jenkins... if a Jenkins admin tries to change the "owner" of the pipeline it will see listed all my personal repositories for example (this is possible by using my personal username instead of the team username).

In this case an other Jenkins admin (who I can trust... but there are limits!) is able to see all my personal stuff. And if smart, could create a fake pipeline just to list the content of all the files inside.

After looking around, it seems there is no way to scope the app password to the team... if I'm right, what the heck is doing Atlassian to not provide this kind of secure feature? Nobody wants to have a bitbucket account per team...

 

Thank you,

 

Related post: https://community.atlassian.com/t5/Bitbucket-questions/How-do-I-generate-an-App-password-for-a-team-so-that-I-can-copy/qaq-p/689922?tempId=eyJvaWRjX2NvbnNlbnRfbGFuZ3VhZ2VfdmVyc2lvbiI6IjIuMCIsIm9pZGNfY29uc2VudF9ncmFudGVkX2F0IjoxNjQ3MzUxMzExMjc2fQ%3D%3D

1 answer

0 votes

Hello @sneko ,

Thank you for reaching out to Atlassian Community.

If I understand it correctly, you would like to scope your app password to a given workspace. I'm afraid this is currently not possible , as the app passwords is attached the user's personal account, and when authenticating with Bitbucket, it represents that user account where it was created.

I understand that using the app password of your account in the Jenkins settings might be a security issue, as it also allows it to access your personal repositories, and to mitigate that I would have the following suggestions :

  • Create another bitbucket account, like jenkins@mydomain.com, to serve as a "service" account  used by your CI/CD solution to authenticate with Bitbucket. You can give this account group access or direct access only to the repositories it really needs to interact with. Then, you can set your Jenkins configuration to use the username and App Password of this "service" account to authenticate with Bitbucket.
  • Another option would be to not authenticate with HTTPS, and use SSH instead. You can create an SSH key pair, with a public and private key, and configure your Jenkins to use that private key when authenticating. Then, you can add the public key as an access key directly either on the workspace, project, or repository level, depending on how granular control over the access you want to implement. With this approach, the key is not linked to any bitbucket user and will only have read access to the repositories you have it added (or inherited in case you add it to the workspace or project level). We have de following documentation with steps on how to setup that :

Hope that helps. Let us know in case you have any further questions.

Thanks, @sneko 

Kind regards,

Patrik S

Hi @Patrik S ,

Thank you for answering :)

1) I already thought about this, that's a possibility. Just feeling weird to pay for a user just for a question of scope access. Having app passwords also for the workspace (or service accounts) would be really helpful.

2) Yes a SSH key can help to read repositories, but inside Jenkins connecting a real Bitbucket user (so through HTTPS) helps with UI flows (listing repositories, seeing PRs... and this is not possible with an SSH key)

Patrik S Atlassian Team Mar 25, 2022

Hey @sneko ,

I definitely understand your point, and the fact that for your use-case a service account or app passwords scoped for the workspace would be the best solution.

Unfortunately those options are currently not possible in Bitbucket Cloud, but we do already have a feature request opened to implement the concept of service accounts on Bitbucket, which I think would meet your requirements. You can take a look on that feature request by accessing the following link :

I would suggest you to add your vote there, since this helps both developers and product managers to understand the interest. Also, make sure you add yourself as a watcher in case you want to receive first-hand updates from that ticket. Please note that all features are implemented with this policy in mind: https://confluence.atlassian.com/support/implementation-of-new-features-policy-201294576.html

Thank you @sneko .

Kind regards,

Patrik S

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events