Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Reposotory token instant leak on clone

Mikołaj
Mikołaj February 21, 2023

Is it possible to do not leak instantly repository access token when cloning repository?

The suggested clone url is:
git clone https://x-token-auth:${THE TOKEN LEAKS HERE EVERYWHERE AS PLAIN TEXT WHEN ONE WANT TO CLONE THE REPO}@bitbucket.org/my-workspace/repo.git

This leaks completely everywhere, in console, CI configuration (the repo address)

Answer
Watch
Like Be the first to like this
405 views

1 answer

1 vote
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
February 24, 2023

Hi @Mikołaj and welcome to the community!

Even though it is possible to use a repository access token as part of the clone URL, this is something we do not recommend:

This method is useful if the Repository Access Token has been stored securely as a 'secret' variable in a build tool.

If this is not possible with the CI tool you are using, and if you only need to clone and pull from repos (and not push or any other operation), you can consider using SSH Access keys instead:

Access keys provide read-only access to a certain repository and are commonly used in CI tools that need to pull or clone a repository.

If you have any questions, please feel free to let me know.

Kind regards,
Theodora

View More Comments
Mikołaj
Mikołaj March 10, 2023

I was about to use the repository access token, to allow CI to push build status back to the Bitbucket. But since TeamCity requires username and token to do that (https://www.jetbrains.com/help/teamcity/commit-status-publisher.html#Bitbucket+Cloud), but username for access token is not available, then I simply abandon this idea.

So in this case, for read-only access, I'll check the ssh access key.

Like
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 13, 2023

Hi Mikołaj,

Thank you for the update.

If you would like to allow CI to push back to the repository, you could use the username and an app password of an account that has write access to this repo. You can read more app passwords here:

Kind regards,
Theodora

Like
Mikołaj
Mikołaj April 5, 2023

Unfortunately, app password is bound to the specific user, which should be avoided because CI server is not about users but about projects. What's more, users may change frequently.

The ideal option would be to have an access-key with additional write permissions - like access tokens.

Like
Patrik S
Patrik S
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 6, 2023

Hello @Mikołaj ,

Bitbucket Cloud offers 3 different scopes of Access Keys: Repository, Project, and Workspace Access keys.

While the repository and project access keys only provide read access, the workspace access keys offer read/write access, so it might be an option to be used on your CI/CD tool in case you need to push back to a repository using the access key.

I've recently authored an article about the Difference between the repository, project and workspace access keys which might be of help :) 

Thank you, @Mikołaj !
Patrik S

Like
Mikołaj
Mikołaj April 13, 2023

I'm aware of this, and it's kind of strange that only workspace key are read/write, but not project and repository (If one would restrict write access to the smallest scope possible instead of giving it for whole workspace)

What's more, project and workspace access keys are not available in standard plan.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events