As part of a build process in Jenkins, we generate some IDs that need to be written back to a repository. Everything works fine until I try to push the commit with the new IDs back to the origin (bitbucket) on the main or production branches, which have branch restrictions to limit direct commits.
The Jenkins build uses a Repository Access Token to interact with the repo. I have tried to add that token to the "Only specific people or groups have write access" for the branch, but the e-mail, ID, etc. are not accepted as valid values.
Is there a way I can grant that token access to directly write to those branches? If not, is there another workaround I can use?
The specific error I'm getting (URLs removed):
+ git push origin
remote: Permission denied to update branch main.
To <Repo>
! [remote rejected] main -> main (pre-receive hook declined)
error: failed to push some refs to '<Repo>'
The original looks like this:
git clone https://x-token-auth:<token>@bitbucket.org/<repo>
I also run the line
git config user.email <token-id>@bots.bitbucket.org
Hello @Jake Esau ,
Thank you for reaching out to Atlassian Community!
Unfortunately, it's currently not possible to add the RAT "user" to branch restrictions. We do have a feature request to implement that functionality though, which you can access in the following link :
I would suggest you to add your vote there, since this helps both developers and product managers to understand the interest. Also, make sure you add yourself as a watcher in case you want to receive first-hand updates from that ticket. Please note that all features are implemented with this policy in mind.
As for the workaround, since only users with valid bitbucket account can be added to branch restriction, you can think of the following options
In case you don't want those credentials attached to a person on your team, you can create a new bitbucket account to be used as a "bot account", and create the App password or SSH key under that "bot" account and grant that account access to the repositories.
Hope that helps! Let me know in case you have any questions.
Thank you, @Jake Esau !
Patrik S
Wish the answer was "Yes and here's how to do it" but at least I'm not the only one that wants it. I've added my vote to that request, I would suggest anyone else reading this do the same.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
@Patrik S
I have a question much related to the same question starting this thread.
We have enabled 2FA and rely on access token through automation to update our branches, but are hit with permission issues when we try to copy a repository from one remote git repository (another cloud provider) to a remote git repository in bitbucket cloud.
We get this message when pushing cloned repo to bitbucket cloud repo.
remote: Permission denied to update branch master.
To https://bitbucket.org/xxxxx.git
! [remote rejected] master -> master (pre-receive hook declined)
error: failed to push some refs to 'https://bitbucket.org/xxxxx.git'
For the the workspace access token we have the following permissions.
Scopes
account
pipeline
pullrequest
pullrequest:write
repository
repository:admin
repository:delete
repository:write
runner
Creating a bot account and using Basic Auth or SSH Auth is not working in the automated pipeline because of 2FA. We are hit with two-step auth.
To access this repository, enable two-step authentication.
We cannot disable 2FA because of security policies. What options do we have ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Thomas Nystrøm and welcome to the Community!
The error you are receiving
pre-receive hook declined
indicates there's a branch restriction on the destination branch preventing the push from occurring. Similar to my first comment on this thread, since the access token can't currently be added to branch restrictions, either Basic Auth or SSH authentication needs to be used.
With regards to the 2FA, this only affects sign-in on the Bitbucket website. 2FA is not asked when executing API calls/git commands using App Password or SSH key authentication, so you should be able to use one of those authentication methods for the git push command with the bot account.
Thank you, @Thomas Nystrøm !
Patrik S
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
As I understand the bot account is just a ordinary bitbucket account similar to a user account and our security policy requires that all bitbucket accounts have 2FA enabled. We tried to use a bot account with ssh auth key, but because of the 2FA requirements we get this error when bot account tries to access repository.
To access this repository, enable two-step authentication.
fatal: Could not read from remote repository.
Is there any special account types for "bots" in Bitbucket cloud ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello @Thomas Nystrøm ,
You are correct. Currently, there's no concept of "bot" account in Bitbucket Cloud account, but you can create an ordinary account to act like a "bot" account.
As for the access control to require two-step verification, if this option is enabled in your workspace, any user who doesn't have two-step verification enabled will see a message that prompts them to enable it. Also, those users will not be able to clone, push or pull from a private repository within that workspace. This will also apply to the "bot" user account.
As of now, we don't have the option to specify which users will be affected by Access Controls (Enforce 2SV, IP Allowlisting), these are currently only available at a workspace-wide level applying all the users on the workspace. We have an open feature request to implement the functionality of user-specific access control BCLOUD-21794. Feel free to add your Vote on that feature and leave your feedback in the comments.
While that feature is not available, I'm afraid 2SV will need to be setup for the "bot" user account so it can clone/push from/to the repository.
Another option, in case your organization has an Atlassian Access subscription, is to enforce 2FA on Atlassian account layer (instead of Bitbucket workspace layer), where you will have more flexibility to configure multiple security levels for different user sets within your organization.
Thank you, @Thomas Nystrøm !
Patrik S
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.