Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How do I generate an App password for a team so that I can copy artifacts to a download section?

aloraine
aloraine December 15, 2017

I'm using Bitbucket pipelines to build the code in a repository and then deploy artifacts to the repository download section.

The repo is owned by a team, not my individual user id. (My user id has write permission, however.)

The pipelines documentation at https://confluence.atlassian.com/bitbucket/deploy-build-artifacts-to-bitbucket-downloads-872124574.html says that in order to copy the artifacts to the Download section I need an environment variable with two parameters:

"username - Bitbucket username of the repository owner (and also the user who will upload the artifacts)

password - App password as generated by bitbucket"

I'm confused about this because the repository "owner" (?) is the team, not me.

Also, there is no way (that I can see) to generate an App password from a team's settings options.

What App password and user name should I use for this?

 

Answer
Watch
Like Be the first to like this
5329 views

5 answers

1 accepted

0 votes
Answer accepted
Javier Aladid
Javier Aladid August 27, 2019

...

Reply
1 vote
aloraine
aloraine July 24, 2019

Responding to Joe Holloway's post of March 6:

I think you are correct to be concerned.

Here's why:

Let's say I'm an admin user for a team repository that everyone on the team can write to.  I set up an app password using my user account and add it to the team repository. (Only an admin user can do that.) I configure pipelines on that repository to use this app password -- which has write permission -- to copy artifacts to the Downloads section of the repository.

I can observe the password being accessed and used, and I can delete any time. And probably I don't even remember what it is -- it's hidden from me and everyone.

That sounds fine. However, the entire team can write to the repository. That means that someone on the team -- or someone impersonating them -- could accidentally or on purpose commit a change to the same bitbucket pipelines YML file that causes the pipeline to do some damage on its next run. The pipeline has access to the app password and can do a lot with it. 

Reply
0 votes
Pimped
Pimped May 26, 2021

While people here state you can also use an app account from your personal settings, I can only say: this is not working for  repository part of a project owned by for instance your company.

I do understand the risks, but the restrictions on this feature are not well documented (thus poor user experience) and as I experience now after 4 hours of frustration: it is not workable and the feedback (just an 401) very very poor.
I need to find the owner in my organisation to get the app account.
Why not make it easier as suggested in the threads here.
What are the risks if you are already an admin and can nearly do everything with the repository.

Currently stuck not able being to push artifacts to the repository I administer.

Reply
0 votes
Mher Alaverdyan
Mher Alaverdyan January 10, 2019

In case anyone still needs help on this. Generate the App Password with the admin user account (admin to the team) as suggested in the thread. However, send the request with that username as well (do NOT use the team username).

BB_AUTH_STRING = "adminUser:adminAppPassword"

Reply
0 votes
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 18, 2017

 

Hi Ann! An App Password can be created by a user who has Admin rights over the repo or Team. If you're an admin for that team you can create an App password using your individual Bitbucket account and use it for the team. Otherwise, if you're a normal user, you'll need to contact one of the admins to follow the steps at App passwords

Hope this helps!

Ana

View More Comments
aloraine
aloraine December 18, 2017

Hi Ana,

Quick followup question:

To use Bitbucket pipelines to build code in a team-owned repository, I need to create an environment variable

BB_AUTH_STRING

which should be:

username:app-password

The documentation for pipelines says "username" should be the owner of the repository. However, in the case of a team-owned repository, the "owner" (a team) can't create App Passwords.

So instead, I should create an "App password" using an ordinary user account and use that user's id and app password?

e.g.,

team-member:app-password

Is this correct?

(That's what I did, and it's working fine, so I assume I've got it right. Just wanted to confirm with an expert!)

Best wishes,

A.

Like
Ana Retamal
Ana Retamal
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
December 18, 2017

Yes Ann, that is correct :) However, keep in mind that the user need to have Admin rights for that team. Let us know if you have any other questions!

Have a nice day,

Ana

Like
Joe Holloway
Joe Holloway March 6, 2019

If you use the app password in a way that's visible to other members of your team -- in this example, within a pipeline script that uploads an artifact to 'downloads' -- wouldn't this give other users on the team API access to the private repositories on your user account (including those not owned by said team) or perhaps even separate teams that you're a member?

There's even a note that advises against this in the app passwords doc:

"App passwords are tied to an individual account's credentials and should not be shared. If you're sharing your app password you're essentially giving direct, authenticated, access to everything that password has been scoped to do with the Bitbucket API's."

I don't understand why this would be the recommended solution for uploading pipeline artifacts in a team setting unless you trust everyone on your team with API access to your repos.  Or if you have multiple Bitbucket accounts and keep your 'team' stuff totally isolated from other teams/personal usage.

Like # people like this
sbelloz
sbelloz June 21, 2019

Still don't get it why "App password" feature is not integrated in a team.

if a "team" is the "BITBUCKET_REPO_OWNER" of all repos of that team, I'm expecting to generate an app password only for the "BITBUCKET_REPO_OWNER" (that's the team itself), and not using individual account's credentials.

Like # people like this
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events