Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

How to add OAuth consumers to allowed writers in protected branch?


Hello, I'm facing a problem with semantic versioning in Bitbucket. Right now I'm out of ideas. I use OAuth consumer to provide access to repository for plugin. On merge to develop a pipeline is triggered so the semantic versioning plugin can handle versioning. Also in our project we use protected branches so you can't commit directly to the develop. When I added a user from wich I created OAuth consumer to allowed writers in protected develop branch it's still not working. It's clear that with OAuth consumer it's not a user who is authenticate, it's OAuth consumer and you can't add this consumer to allowed writes in protected branch. I tried to use App passwords but it's not supported right now in pipelines, so it's not working. I also for testing purpose I disabled a protection on branch and see if maybe I broke something during setting up the plugin, but then it was working. In addition I created environment variables like: GIT_AUTHOR_NAME GIT_AUTHOR_EMAIL GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL to point for a user from which I created a consumer and still not working. I don't know how we can resolve this problem..Zrzut ekranu 2022-08-19 o 09.49.59.png

1 answer

0 votes
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Aug 19, 2022

Hi @Marcin Nowak,

1. Can you please confirm if you are using Bitbucket Pipelines and if you are trying to push from Pipelines?

2. Are you trying to push new commits from the Pipeline to your repo?

I can see in your screenshot that the command executed is git push --tags, however pushing tags should be possible even with branch restrictions (pushing tags is not subject to branch restrictions, since it is not pushing new code).

Could you please confirm what operation is failing?

3. Have you created this consumer for a user's personal workspace? (A personal workspace is the workspace created by Bitbucket Cloud when a user signs up for an account) Or did you create it for the workspace that owns the repo where you are pushing?

4. You mentioned that you tried to use App passwords but it's not supported right now in pipelines. Could you please clarify what you mean that it's not supported, and share some details about your configuration?

If you are using Bitbucket Pipelines, and you want to push back to the same repo where Pipelines is running, you can change the remote URL of the repo with the following command in your bitbucket-pipelines.yml file

git remote set-url origin https://<your username>:${app_password}${BITBUCKET_REPO_OWNER}/${BITBUCKET_REPO_SLUG}

where <your username> replace with the Bitbucket username of the user (who is added in branch permissions)
app_password replace with the name of a Pipelines variable you create that holds an app password for this user

The author and committer email are not relevant, as they are not used for authentication.

Kind regards,


1. Yes I use Bitbucket Pipelines in whole process

2. The plugin it self commit and push changes (new version in package.json and changelog) + create new tag. It occurs an unauthorized error while pushing commit.

3. I created consumer in the project workspace with permission for Repositories with Read, Write and Admin (for debugging).

4. I tried to use app password but I got this error: remote: Bitbucket Cloud recently stopped supporting account passwords for Git authentication.

Zrzut ekranu 2022-08-29 o 12.33.32.png

Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Aug 30, 2022

Hi Marcin,

Thank you for the info.

Regarding the OAuth consumer, I just realized that I didn't clarify in my previous response that it is not possible to add an OAuth consumer in the branch permissions. We have a feature request for the ability to do this: I would recommend voting for it (by selecting the Vote for this issue link) if you'd be interested in that feature.


Regarding app passwords, I have tested pushing from Pipelines to my repo the way I described in my previous message, and it's something that works.

The error message you are seeing shows when the credentials are incorrect.
The remote URL you need to set is

https://<your username>:${app_password}${BITBUCKET_REPO_OWNER}/${BITBUCKET_REPO_SLUG}

<your username> should be the Bitbucket username for the account you are using to push, exactly as it appears in of this account (and without the < and > characters). It should not be the label for the app password.

app_password in my example is the name of a secured Repository variable I created that holds an app password for the same user. You should leave this as ${app_password} in the remote url, so Pipelines can read the value of the variable.

Have you used a Repository variable for the app password?

Could you please let me know what remote URL shows in your Pipelines log, in the line 'fatal: Authentication failed for...'? Without revealing the actual values for privacy reasons, just use some dummy values but leave the format as is.

In case this is a deployment step, an additional thing to check is if you have a deployment variable with the same name as the variable you used for the app password (in this case, the deployment variable would overwrite the repository variable).

Kind regards,

The command 

git remote set-url origin https://<your username>:${app_password}${BITBUCKET_REPO_OWNER}/${BITBUCKET_REPO_SLUG}

didn't work out, but I finally resolved my problem by adding app password in the .releaserc file which is used by the Semantic Release plugin.

"repositoryUrl": "https://<your username>${BITBUCKET_REPO_OWNER}/${BITBUCKET_REPO_SLUG}"

 Then in the pipeline I use sed command to change value APP_PASSWORD to true app password which is called BB_APP_PASSWORD in repository variables.

- sed -i "s/APP_PASSWORD/$BB_APP_PASSWORD/g" .releaserc
Like Theodora Boudale likes this
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Sep 02, 2022

Thank you for the update Marcin, it's good to hear that you figured this out.

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events