Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Looking for security guidelines for Service Accounts when your instance is open to the internet

Hello all,

I'm wondering if anyone has some good insight on handling shared service accounts when your instance is open to the internet?

My org has been trying to solve this issue before fulling allowing "service accounts" for our users to automate processes using Confluence. Our user base is sourced from AD. Service accounts would also live in AD and be synced to Confluence via a User Object Filter for the AD user directory. 

The main concern is maintaining the privacy and security of these accounts so users do not share the credentials amongst each other or continue using them after they have left the company.

We've thought of the following possible solutions:

  • Using an API node which all API traffic would funnel through but only allow access to the API only while on the internal company network. But how will that affect Confluence itself, or plugins, making calls to its own API? Also Jira? Would calls to these services also fail (from whithin Confluence or Jira) outside of our network?
  • Manually auditing who we know has access to the account credentials and updating the service accounts password upon change of "allowed accessors"
  • Is there a way to secure API access by IP?
  • What else could we do?

We've also reached out to Atlassian who has basically said, "You shouldn't do it that way. Consider removing this scenario from your environment." without any kind of guidance on how to accomplish our needs outside of upgrading to 7.9 and using tokens. However, I'm finding it hard to see how tokens resolve this issue? Users would still be able to share the login account name and token and then authenticate, no? 

We are currently on the 7.8 branch so using tokens is not an option yet, but we are investigating that as a solution. However, to my understanding, that still doesn't address "user's sharing tokens for access to the API with each other without administrator knowledge."

Also, we can't just inform our users to store their own credentials in scripts... that's ridiculous.

Any implementation examples or guidance is greatly appreciated!

-Matt

 

0 answers

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
7.8.1
TAGS
Community showcase
Published in Confluence

Confluence Mythbusters: Does Atlassian even use Confluence?

Hi, Confluence collaborators! As part of #Confluence-Collaboratory month, we’ve created a very special Mythsbusters segment, where we're dive into an interesting myth and uncover the truth behind i...

1,362 views 7 28
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you