Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Does Bitbucket support rotating HTTP access keys?

Dongliu April 10, 2024

I'm currently storing my Bitbucket HTTP access key in AWS Secrets Manager that is then pulled by Lambda functions to perform operations on the Bitbucket API. I need to be able to routinely rotate this access key - whether it be manually or programmatically.

Does the Bitbucket API offer an endpoint that allows me to generate a new access key from an existing access key? Or to generate refreshable access keys that come with refresh tokens?

1 answer

0 votes
Hariharan Iyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 10, 2024

Hi @Dongliu ,

Unfortunately automatic rotation is not supported as of now. There is a ticket open for this already but from the comments it doesn't look like any work has gone into it.

 

Thanks,

Hariharan

Dongliu April 11, 2024

Thanks for the response. That is unfortunate.

I do see that there exist endpoints to create access tokens under https://developer.atlassian.com/server/bitbucket/rest/v819/api-group-authentication/

These could be used as part of a rotation strategy.

Do you know what permission / authentication is required to make these API calls?

I attempted with a personal access token and got a 401 Unauthorized.

Hariharan Iyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 11, 2024

I believe you will need the Admin permission level on the respective object (project or repository) to invoke that particular API.

Dongliu April 11, 2024

The HTTP personal access tokens - from my understanding - are just used to authenticate my user to the REST API and should replicate my account permissions.

When I visit, for example, the following URL in my browser logged into my account I get a 200 response : rest/access-tokens/latest/users/<user_slug>

When I use basic auth for the call, I also get a 200 response.

But when I use my generated HTTP access token to make that call, I get a 401 Unauthorized.

Am I misunderstanding the permissions that my personal access token has?

Dongliu April 11, 2024

Do ignore me.

I just came across a section on your documentation:

  • You can't use a token to perform changes on behalf of a user (for example, create new tokens or update user account details).

 

Appears a token cannot be used to create a token. Also quite unfortunate.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events