Run Bitbucket shell runners hiding secrets

Pritesh Tailor
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
March 9, 2023

When a shell runners starts on a server with the command given at creation like:

./start.sh --accountUuid {XXXXXXXXXXXXXXXXXXXXX} --repositoryUuid {XXXXXXXXXXXXXXXXXXXXXXXX} --runnerUuid {XXXXXXXXXXXXXXXXXXXXXXXXXXX} --OAuthClientId XXXXXXXXXXXXXXXXXXXXXX --OAuthClientSecret XXXXXXXXXXXXXX-XXXXXXXXXXXXXXXXXXXXXXXXXXXXX --runtime linux-shell --workingDirectory ../temp

This exposes all the credentials to anyone using a communal server, where you can use ps or top to see this command get all the OAuthClientId, OAuthClientSecret, etc from the command running. 

 

is there a way the runner can be started with this data in a file like /etc/runner.env or environment variables so it's not exposed via the process inspection tools?

1 answer

1 accepted

1 vote
Answer accepted
Mark C
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 21, 2023

Hi @Pritesh Tailor,

Thank you for reaching out to the community.

You can indeed save those credentials in multiple environment variables first before you run it.
This way, those credentials will not be plainly visible when you use ps or top commands.

For example:

./start.sh --accountUuid $RUNNERS_ACCOUNT_UUID --repositoryUuid $RUNNERS_REPO_UUID --runnerUuid $RUNNERS_UUID --OAuthClientId $RUNNERS_CLIENTID --OAuthClientSecret $RUNNERS_CLIENT_SECRET --runtime linux-shell --workingDirectory ../temp

Let me know if you have further questions.

Regards,
Mark C

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events