Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How do I grant write access to restricted brances via repo tokens?

Jake Esau
Jake Esau January 24, 2023

As part of a build process in Jenkins, we generate some IDs that need to be written back to a repository. Everything works fine until I try to push the commit with the new IDs back to the origin (bitbucket) on the main or production branches, which have branch restrictions to limit direct commits.

The Jenkins build uses a Repository Access Token to interact with the repo. I have tried to add that token to the "Only specific people or groups have write access" for the branch, but the e-mail, ID, etc. are not accepted as valid values.

Is there a way I can grant that token access to directly write to those branches? If not, is there another workaround I can use?

The specific error I'm getting (URLs removed):

+ git push origin
remote: Permission denied to update branch main.
To <Repo>
 ! [remote rejected] main -> main (pre-receive hook declined)
error: failed to push some refs to '<Repo>'

 The original looks like this:

git clone https://x-token-auth:<token>@bitbucket.org/<repo>

 I also run the line 

git config user.email <token-id>@bots.bitbucket.org

  

Answer
Watch
Like Be the first to like this
1244 views

2 answers

1 accepted

2 votes
Answer accepted
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 26, 2023

Hello @Jake Esau ,

Thank you for reaching out to Atlassian Community!

Unfortunately, it's currently not possible to add the RAT "user" to branch restrictions. We do have a feature request to implement that functionality though, which you can access in the following link : 

I would suggest you to add your vote there, since this helps both developers and product managers to understand the interest. Also, make sure you add yourself as a watcher in case you want to receive first-hand updates from that ticket. Please note that all features are implemented with this policy in mind.

As for the workaround, since only users with valid bitbucket account can be added to branch restriction, you can think of the following options

  • Basic Auth : Use bitbucket username along with App Passwords. The app password needs to be created under a user account that has access to the repository being pushed.
  • SSH Auth : Use an  SSH key added to the account of a user that has access to the repository being pushed.

In case you don't want those credentials attached to a person on your team, you can create a new bitbucket account to be used as a "bot account", and create the App password or SSH key under that "bot" account and grant that account access to the repositories.

Hope that helps! Let me know in case you have any questions.

Thank you, @Jake Esau !

Patrik S

View More Comments
Jake Esau
Jake Esau January 26, 2023

Wish the answer was "Yes and here's how to do it" but at least I'm not the only one that wants it. I've added my vote to that request, I would suggest anyone else reading this do the same.

Like # people like this
Reply
0 votes
Thomas Nystrøm
Thomas Nystrøm September 15, 2023

@Patrik S 

I have a question much related to the same question starting this thread.

We have enabled 2FA and rely on access token through automation to update our branches, but are hit with permission issues when we try to copy a repository from one remote git repository (another cloud provider) to a remote git repository in bitbucket cloud.

We get this message when pushing cloned repo to bitbucket cloud repo.

 
remote: Permission denied to update branch master.
To https://bitbucket.org/xxxxx.git
 ! [remote rejected]     master -> master (pre-receive hook declined)
error: failed to push some refs to 'https://bitbucket.org/xxxxx.git'

For the the workspace access token we have the following permissions.

Scopes

  • account
  • pipeline
  • pullrequest
  • pullrequest:write
  • repository
  • repository:admin
  • repository:delete
  • repository:write
  • runner

 
Creating a bot account and using  Basic Auth or SSH Auth is not working in the automated pipeline because of 2FA. We are hit with two-step auth. 

To access this repository, enable two-step authentication.

We cannot disable 2FA because of security policies. What options do we have ?

View More Comments
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 19, 2023

Hello @Thomas Nystrøm and welcome to the Community!

The error you are receiving 

pre-receive hook declined

indicates there's a branch restriction on the destination branch preventing the push from occurring. Similar to my first comment on this thread, since the access token can't currently be added to branch restrictions, either Basic Auth or SSH authentication needs to be used.

With regards to the 2FA, this only affects sign-in on the Bitbucket website. 2FA is not asked when executing API calls/git commands using App Password or SSH key authentication, so you should be able to use one of those authentication methods for the git push command with the bot account.

Thank you, @Thomas Nystrøm !

Patrik S

Like
Thomas Nystrøm
Thomas Nystrøm September 27, 2023

As I understand the bot account is just a ordinary bitbucket account similar to a user account and our security policy requires that all bitbucket accounts have 2FA enabled. We tried to use a bot account with ssh auth key, but because of the 2FA requirements we get this error when bot account tries to access repository.

To access this repository, enable two-step authentication.

fatal: Could not read from remote repository.

Is there any special account types for "bots" in Bitbucket cloud ?

Like
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 28, 2023

Hello @Thomas Nystrøm ,

You are correct. Currently, there's no concept of "bot" account in Bitbucket Cloud account, but you can create an ordinary account to act like a "bot" account.

As for the access control to require two-step verification, if this option is enabled in your workspace, any user who doesn't have two-step verification enabled will see a message that prompts them to enable it. Also, those users will not be able to clone, push or pull from a private repository within that workspace. This will also apply to the "bot" user account.

As of now, we don't have the option to specify which users will be affected by Access Controls (Enforce 2SV, IP Allowlisting), these are currently only available at a workspace-wide level applying all the users on the workspace. We have an open feature request to implement the functionality of user-specific access control BCLOUD-21794. Feel free to add your Vote on that feature and leave your feedback in the comments.

While that feature is not available, I'm afraid 2SV will need to be setup for the "bot" user account so it can clone/push from/to the repository.

Another option, in case your organization has an Atlassian Access subscription, is to enforce 2FA on Atlassian account layer (instead of Bitbucket workspace layer), where you will have more flexibility to configure multiple security levels for different user sets within your organization.

Thank you, @Thomas Nystrøm !

Patrik S

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events