Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,553,178
Community Members
 
Community Events
184
Community Groups

How do I generate an App password for a team so that I can copy artifacts to a download section?

Edited

I'm using Bitbucket pipelines to build the code in a repository and then deploy artifacts to the repository download section.

The repo is owned by a team, not my individual user id. (My user id has write permission, however.)

The pipelines documentation at https://confluence.atlassian.com/bitbucket/deploy-build-artifacts-to-bitbucket-downloads-872124574.html says that in order to copy the artifacts to the Download section I need an environment variable with two parameters:

"username - Bitbucket username of the repository owner (and also the user who will upload the artifacts)

password - App password as generated by bitbucket"

I'm confused about this because the repository "owner" (?) is the team, not me.

Also, there is no way (that I can see) to generate an App password from a team's settings options.

What App password and user name should I use for this?

 

5 answers

1 accepted

...

Responding to Joe Holloway's post of March 6:

I think you are correct to be concerned.

Here's why:

Let's say I'm an admin user for a team repository that everyone on the team can write to.  I set up an app password using my user account and add it to the team repository. (Only an admin user can do that.) I configure pipelines on that repository to use this app password -- which has write permission -- to copy artifacts to the Downloads section of the repository.

I can observe the password being accessed and used, and I can delete any time. And probably I don't even remember what it is -- it's hidden from me and everyone.

That sounds fine. However, the entire team can write to the repository. That means that someone on the team -- or someone impersonating them -- could accidentally or on purpose commit a change to the same bitbucket pipelines YML file that causes the pipeline to do some damage on its next run. The pipeline has access to the app password and can do a lot with it. 

While people here state you can also use an app account from your personal settings, I can only say: this is not working for  repository part of a project owned by for instance your company.

I do understand the risks, but the restrictions on this feature are not well documented (thus poor user experience) and as I experience now after 4 hours of frustration: it is not workable and the feedback (just an 401) very very poor.
I need to find the owner in my organisation to get the app account.
Why not make it easier as suggested in the threads here.
What are the risks if you are already an admin and can nearly do everything with the repository.

Currently stuck not able being to push artifacts to the repository I administer.

In case anyone still needs help on this. Generate the App Password with the admin user account (admin to the team) as suggested in the thread. However, send the request with that username as well (do NOT use the team username).

BB_AUTH_STRING = "adminUser:adminAppPassword"

0 votes
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Dec 18, 2017

 

Hi Ann! An App Password can be created by a user who has Admin rights over the repo or Team. If you're an admin for that team you can create an App password using your individual Bitbucket account and use it for the team. Otherwise, if you're a normal user, you'll need to contact one of the admins to follow the steps at App passwords

Hope this helps!

Ana

Hi Ana,

Quick followup question:

To use Bitbucket pipelines to build code in a team-owned repository, I need to create an environment variable

BB_AUTH_STRING

which should be:

username:app-password

The documentation for pipelines says "username" should be the owner of the repository. However, in the case of a team-owned repository, the "owner" (a team) can't create App Passwords.

So instead, I should create an "App password" using an ordinary user account and use that user's id and app password?

e.g.,

team-member:app-password

Is this correct?

(That's what I did, and it's working fine, so I assume I've got it right. Just wanted to confirm with an expert!)

Best wishes,

A.

Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Dec 18, 2017

Yes Ann, that is correct :) However, keep in mind that the user need to have Admin rights for that team. Let us know if you have any other questions!

Have a nice day,

Ana

If you use the app password in a way that's visible to other members of your team -- in this example, within a pipeline script that uploads an artifact to 'downloads' -- wouldn't this give other users on the team API access to the private repositories on your user account (including those not owned by said team) or perhaps even separate teams that you're a member?

There's even a note that advises against this in the app passwords doc:

"App passwords are tied to an individual account's credentials and should not be shared. If you're sharing your app password you're essentially giving direct, authenticated, access to everything that password has been scoped to do with the Bitbucket API's."

I don't understand why this would be the recommended solution for uploading pipeline artifacts in a team setting unless you trust everyone on your team with API access to your repos.  Or if you have multiple Bitbucket accounts and keep your 'team' stuff totally isolated from other teams/personal usage.

Like # people like this

Still don't get it why "App password" feature is not integrated in a team.

if a "team" is the "BITBUCKET_REPO_OWNER" of all repos of that team, I'm expecting to generate an app password only for the "BITBUCKET_REPO_OWNER" (that's the team itself), and not using individual account's credentials.

Like # people like this

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events