We're using TeamCity as our CI build system. Currently we have a single Stash user for TeamCity which has read-only access rights to all repositories.
This is bad from the security point of view, as each project admin knows the password to a user which is able to read all Git repositories. Is there a possiblity to create a read-only user for TeamCity per repository (or per project) without losing a licensed user each time?
I think "access keys" is what you're looking for: https://confluence.atlassian.com/display/STASH/Using+SSH+keys+to+secure+Git+operations. It allows you to create SSH keys that provide read-only access to a specific repository without them being linked to a user (and taking up a license).
Thanks for your initial reply, while your suggested solution sounds promising, it has drawbacks:
* According to https://confluence.atlassian.com/display/STASH/Enabling+SSH+access+to+Git+repositories+in+Stashit is not recommended to use SSH access for automatic build tools (see performance note on linked page)
* It forces us to create and manage a lot of keys which adds a lot of administrative work for our admin
* It forces us to enable SSH on the Stash server
Is there no chance to create read-only-users per project/repository which do not add to the licencse number? Or any other HTTPS-based way to integrate Stash with TeamCity?
Glad to see someone is reading the documentation! You're right that switching to SSH will add more CPU load to your system and we advise people to use HTTP(S) when possible. It depends on the current load on your system whether this would be an issue or not. We currently don't support HTTP-based access keys, but feel free to open a feature request for it on https://jira.atlassian.com.
With respects to the other two drawbacks:
* Administrative work: you can set up access keys at either the project or repository level. Using SSH access keys or username/password combos for accessing repositories is approximately the same amount of administrative work I think. If you set up access keys at the project level, the overhead wouldn't be too bad?
* Forcing enabling SSH on the Stash server. Please note that Stash ships an embedded SSH server that _only_ allows a small number of operations. Users cannot open a shell on the server using it, nor run arbitrary commands. The SSH server only supports git-upload-pack, git-receive-pack, git-archive-pack and a custom whoami command.
Bitbucket Pipelines helps me manage and automate a number of serverless deployments to AWS Lambda and this is how I do it. I'm building Node.js Lambda functions using node-lambda ...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
We're bringing product updates and pro tips on teamwork to ten cities around the world.Save your spot