I'm using Bitbucket pipelines to build the code in a repository and then deploy artifacts to the repository download section.
The repo is owned by a team, not my individual user id. (My user id has write permission, however.)
The pipelines documentation at https://confluence.atlassian.com/bitbucket/deploy-build-artifacts-to-bitbucket-downloads-872124574.html says that in order to copy the artifacts to the Download section I need an environment variable with two parameters:
"username - Bitbucket username of the repository owner (and also the user who will upload the artifacts)
password - App password as generated by bitbucket"
I'm confused about this because the repository "owner" (?) is the team, not me.
Also, there is no way (that I can see) to generate an App password from a team's settings options.
What App password and user name should I use for this?
Responding to Joe Holloway's post of March 6:
I think you are correct to be concerned.
Let's say I'm an admin user for a team repository that everyone on the team can write to. I set up an app password using my user account and add it to the team repository. (Only an admin user can do that.) I configure pipelines on that repository to use this app password -- which has write permission -- to copy artifacts to the Downloads section of the repository.
I can observe the password being accessed and used, and I can delete any time. And probably I don't even remember what it is -- it's hidden from me and everyone.
That sounds fine. However, the entire team can write to the repository. That means that someone on the team -- or someone impersonating them -- could accidentally or on purpose commit a change to the same bitbucket pipelines YML file that causes the pipeline to do some damage on its next run. The pipeline has access to the app password and can do a lot with it.
Hi Ann! An App Password can be created by a user who has Admin rights over the repo or Team. If you're an admin for that team you can create an App password using your individual Bitbucket account and use it for the team. Otherwise, if you're a normal user, you'll need to contact one of the admins to follow the steps at App passwords
Hope this helps!
Quick followup question:
To use Bitbucket pipelines to build code in a team-owned repository, I need to create an environment variable
which should be:
The documentation for pipelines says "username" should be the owner of the repository. However, in the case of a team-owned repository, the "owner" (a team) can't create App Passwords.
So instead, I should create an "App password" using an ordinary user account and use that user's id and app password?
Is this correct?
(That's what I did, and it's working fine, so I assume I've got it right. Just wanted to confirm with an expert!)
If you use the app password in a way that's visible to other members of your team -- in this example, within a pipeline script that uploads an artifact to 'downloads' -- wouldn't this give other users on the team API access to the private repositories on your user account (including those not owned by said team) or perhaps even separate teams that you're a member?
There's even a note that advises against this in the app passwords doc:
"App passwords are tied to an individual account's credentials and should not be shared. If you're sharing your app password you're essentially giving direct, authenticated, access to everything that password has been scoped to do with the Bitbucket API's."
I don't understand why this would be the recommended solution for uploading pipeline artifacts in a team setting unless you trust everyone on your team with API access to your repos. Or if you have multiple Bitbucket accounts and keep your 'team' stuff totally isolated from other teams/personal usage.
Still don't get it why "App password" feature is not integrated in a team.
if a "team" is the "BITBUCKET_REPO_OWNER" of all repos of that team, I'm expecting to generate an app password only for the "BITBUCKET_REPO_OWNER" (that's the team itself), and not using individual account's credentials.
In case anyone still needs help on this. Generate the App Password with the admin user account (admin to the team) as suggested in the thread. However, send the request with that username as well (do NOT use the team username).
BB_AUTH_STRING = "adminUser:adminAppPassword"
While people here state you can also use an app account from your personal settings, I can only say: this is not working for repository part of a project owned by for instance your company.
I do understand the risks, but the restrictions on this feature are not well documented (thus poor user experience) and as I experience now after 4 hours of frustration: it is not workable and the feedback (just an 401) very very poor.
I need to find the owner in my organisation to get the app account.
Why not make it easier as suggested in the threads here.
What are the risks if you are already an admin and can nearly do everything with the repository.
Currently stuck not able being to push artifacts to the repository I administer.
Hey Community! We’re willing to wager that quite a few of you not only use Bitbucket, but administer it too. Our team is excited to share that we’ll be releasing improvements throughout this month of...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events