Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Looking for security guidelines for Service Accounts when your instance is open to the internet

Matt
Matt
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
February 10, 2021

Hello all,

I'm wondering if anyone has some good insight on handling shared service accounts when your instance is open to the internet?

My org has been trying to solve this issue before fulling allowing "service accounts" for our users to automate processes using Confluence. Our user base is sourced from AD. Service accounts would also live in AD and be synced to Confluence via a User Object Filter for the AD user directory. 

The main concern is maintaining the privacy and security of these accounts so users do not share the credentials amongst each other or continue using them after they have left the company.

We've thought of the following possible solutions:

  • Using an API node which all API traffic would funnel through but only allow access to the API only while on the internal company network. But how will that affect Confluence itself, or plugins, making calls to its own API? Also Jira? Would calls to these services also fail (from whithin Confluence or Jira) outside of our network?
  • Manually auditing who we know has access to the account credentials and updating the service accounts password upon change of "allowed accessors"
  • Is there a way to secure API access by IP?
  • What else could we do?

We've also reached out to Atlassian who has basically said, "You shouldn't do it that way. Consider removing this scenario from your environment." without any kind of guidance on how to accomplish our needs outside of upgrading to 7.9 and using tokens. However, I'm finding it hard to see how tokens resolve this issue? Users would still be able to share the login account name and token and then authenticate, no? 

We are currently on the 7.8 branch so using tokens is not an option yet, but we are investigating that as a solution. However, to my understanding, that still doesn't address "user's sharing tokens for access to the API with each other without administrator knowledge."

Also, we can't just inform our users to store their own credentials in scripts... that's ridiculous.

Any implementation examples or guidance is greatly appreciated!

-Matt

 

Answer
Watch
Like Be the first to like this
256 views

0 answers

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
SERVER
VERSION
7.8.1
TAGS
AUG Leaders

Atlassian Community Events

    See all events