Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Deleted user
0 / 0 points
Next:
badges earned

Your Points Tracker
Challenges
Leaderboard
  • Global
  • Feed

Badge for your thoughts?

You're enrolled in our new beta rewards program. Join our group to get the inside scoop and share your feedback.

Join group
Recognition
Give the gift of kudos
You have 0 kudos available to give
Who do you want to recognize?
Why do you want to recognize them?
Kudos
Great job appreciating your peers!
Check back soon to give more kudos.

Past Kudos Given
No kudos given
You haven't given any kudos yet. Share the love above and you'll see it here.

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

How do I generate an App password for a team so that I can copy artifacts to a download section? Edited

I'm using Bitbucket pipelines to build the code in a repository and then deploy artifacts to the repository download section.

The repo is owned by a team, not my individual user id. (My user id has write permission, however.)

The pipelines documentation at https://confluence.atlassian.com/bitbucket/deploy-build-artifacts-to-bitbucket-downloads-872124574.html says that in order to copy the artifacts to the Download section I need an environment variable with two parameters:

"username - Bitbucket username of the repository owner (and also the user who will upload the artifacts)

password - App password as generated by bitbucket"

I'm confused about this because the repository "owner" (?) is the team, not me.

Also, there is no way (that I can see) to generate an App password from a team's settings options.

What App password and user name should I use for this?

 

5 answers

1 accepted

...

Responding to Joe Holloway's post of March 6:

I think you are correct to be concerned.

Here's why:

Let's say I'm an admin user for a team repository that everyone on the team can write to.  I set up an app password using my user account and add it to the team repository. (Only an admin user can do that.) I configure pipelines on that repository to use this app password -- which has write permission -- to copy artifacts to the Downloads section of the repository.

I can observe the password being accessed and used, and I can delete any time. And probably I don't even remember what it is -- it's hidden from me and everyone.

That sounds fine. However, the entire team can write to the repository. That means that someone on the team -- or someone impersonating them -- could accidentally or on purpose commit a change to the same bitbucket pipelines YML file that causes the pipeline to do some damage on its next run. The pipeline has access to the app password and can do a lot with it. 

0 votes
Ana Retamal Atlassian Team Dec 18, 2017

 

Hi Ann! An App Password can be created by a user who has Admin rights over the repo or Team. If you're an admin for that team you can create an App password using your individual Bitbucket account and use it for the team. Otherwise, if you're a normal user, you'll need to contact one of the admins to follow the steps at App passwords

Hope this helps!

Ana

Hi Ana,

Quick followup question:

To use Bitbucket pipelines to build code in a team-owned repository, I need to create an environment variable

BB_AUTH_STRING

which should be:

username:app-password

The documentation for pipelines says "username" should be the owner of the repository. However, in the case of a team-owned repository, the "owner" (a team) can't create App Passwords.

So instead, I should create an "App password" using an ordinary user account and use that user's id and app password?

e.g.,

team-member:app-password

Is this correct?

(That's what I did, and it's working fine, so I assume I've got it right. Just wanted to confirm with an expert!)

Best wishes,

A.

Ana Retamal Atlassian Team Dec 18, 2017

Yes Ann, that is correct :) However, keep in mind that the user need to have Admin rights for that team. Let us know if you have any other questions!

Have a nice day,

Ana

If you use the app password in a way that's visible to other members of your team -- in this example, within a pipeline script that uploads an artifact to 'downloads' -- wouldn't this give other users on the team API access to the private repositories on your user account (including those not owned by said team) or perhaps even separate teams that you're a member?

There's even a note that advises against this in the app passwords doc:

"App passwords are tied to an individual account's credentials and should not be shared. If you're sharing your app password you're essentially giving direct, authenticated, access to everything that password has been scoped to do with the Bitbucket API's."

I don't understand why this would be the recommended solution for uploading pipeline artifacts in a team setting unless you trust everyone on your team with API access to your repos.  Or if you have multiple Bitbucket accounts and keep your 'team' stuff totally isolated from other teams/personal usage.

Like # people like this

Still don't get it why "App password" feature is not integrated in a team.

if a "team" is the "BITBUCKET_REPO_OWNER" of all repos of that team, I'm expecting to generate an app password only for the "BITBUCKET_REPO_OWNER" (that's the team itself), and not using individual account's credentials.

Like # people like this

In case anyone still needs help on this. Generate the App Password with the admin user account (admin to the team) as suggested in the thread. However, send the request with that username as well (do NOT use the team username).

BB_AUTH_STRING = "adminUser:adminAppPassword"

While people here state you can also use an app account from your personal settings, I can only say: this is not working for  repository part of a project owned by for instance your company.

I do understand the risks, but the restrictions on this feature are not well documented (thus poor user experience) and as I experience now after 4 hours of frustration: it is not workable and the feedback (just an 401) very very poor.
I need to find the owner in my organisation to get the app account.
Why not make it easier as suggested in the threads here.
What are the risks if you are already an admin and can nearly do everything with the repository.

Currently stuck not able being to push artifacts to the repository I administer.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Bitbucket

New improvements to user management in Bitbucket Cloud 👥

Hey Community! We’re willing to wager that quite a few of you not only use Bitbucket, but administer it too. Our team is excited to share that we’ll be releasing improvements throughout this month of...

271 views 2 10
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you