Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira Cloud API Token Permissions (How to limit permissions)

Raunak
Raunak October 17, 2019

Hi Everyone,
We currently use JIRA Cloud  as our ticket management/issue tracking system. We have multiple projects boards setup in our Jira Instance.

We are looking integrate JIRA into our project management tool to pull in tasks from one of our projects in JIRA. 

What is the best way of limiting the API token's access to just one project? 

From my understanding, Jira API Token's are limited to the permissions set on the user profile. For instance, if a user profile is given access to particular project, the API token generated from that account will only be able to access the projects/resources associated to that account. Is this the correct assumption? 

 

Answer
Watch
Like # people like this
8058 views

3 answers

2 votes
Nicolo
Nicolo March 3, 2023

TLDR: there is no way to do this.

This is absolutely nuts and a huge security concern.

Not many non-technical people using Jira may be aware of this, but trust me, this need to be fixed ASAP. I will go for managing a new user route, but I'm questioning the seriousness of Atlassian managing API tokens like this.

View More Comments
Oliver Siebenmarck _Polymetis Apps_
Oliver Siebenmarck _Polymetis Apps_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 3, 2023

Hi @Nicolo 

I'm not an Atlassian, but very interested in the whole API/integration topic. Take the following with a grain of salt and definitely not as an official Atlassian position.

As far as i understand it, Atlassian's position is that users can create personal API tokens, the operative word here being personal – ie a token will also reflect the permissions of the user who created it. Any changes made using that token will therefore also show up as being made by the user. 

Oh, and just because it wasn't mentioned on this thread before: An API token is tied to the user, not the instance. If a user (say a contractor) has access to many instances, their API tokens do too. 

In short, the personal API token is great if you want to quickly script something for yourself. It is not meant to be used in large-scale integrations. Here, Atlassian thinking seems to be that you'd write an app for that and use OAuth

However, not everyone wants to manage tons of functional users or write dedicated apps just so that tiny integration can use the API. That's why we created  API Key Manager (also available for Confluence) to let users create and manage API keys with much tighter restrictions and even expiry dates. 

Getting back to @Raunak 's original question, yes you can restrict an API key created with API Key Manager to just be able to read issues from one project.

Best regards,
 Oliver

Like # people like this
Sean Young
Sean Young December 6, 2023

It seems your app doesn't let you limit APIs to projects.  Only API endpoints correct?  I installed a trial but couldn't find a way to limit our API keys in that way.

Like Oliver Siebenmarck _Polymetis Apps_ likes this
Oliver Siebenmarck _Polymetis Apps_
Oliver Siebenmarck _Polymetis Apps_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
December 7, 2023

Hi @Sean Young ,

That's right, the app lets you limit the key by API endpoints (and http verb). In many cases that fits nicely with allowing calls per project, for example with something like this:

/rest/api/3/issue/DEMO
/rest/api/3/project/DEMO/

But wherever the project is not part of the endpoint URL, this approach does not fit that well. 

Hope that explains it a bit better, but be sure to let me know what exactly you were trying to achieve, maybe there's something we can do to help.

Best regards,
 Oliver

Like
Reply
0 votes
Matthew Crocco
Matthew Crocco June 24, 2022

Is there a feature request for this that I can follow?

Reply
0 votes
Warren
Warren
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
October 18, 2019

Hi @Raunak  

I feel as if you've answered your own question :-)

Yes, the token only allows access to whatever that user has access to in Jira, so if you want a token that can only access 1 project, ensure that the user can only access that 1 project.

View More Comments
Raunak
Raunak November 17, 2020

@Ivanov, Kyrylo [Global IT] as far I know/observed, the api is provided with the same permissions as the user generating it. It is not possible to have scenario you described.

Like
Steve Revill
Steve Revill February 10, 2021

This implementation is a joke. You need to create and mange dummy user accounts for every API token. And I assume each of these accounts counts as a "seat" in your licence fees?

Even worse, there's no facility to impersonate users so you also have to mess-about actually logging into Jira as the dummy user in order to create/revoke/etc. the associated API token.

Am I the only one thinking this is madness. Sensible platforms, like GitLab to name one, allow you to tailor the permissions on the API token at the point of its creation...

Like # people like this
Capi [resolution]
Capi [resolution]
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
February 10, 2021

That's how it works in Bitbucket on premise @Steve Revill . It will propagate to the remaining applications, but it might take some time.

Like Steve Revill likes this
Steve Revill
Steve Revill February 10, 2021

Thanks for the response. Am I missing something? For example, if I create three API tokens, I can somehow constrain them so that each can, for example, only access a specific project respectively? Or is the official line that I need a unique dummy user for each API token?

Edit: apologies - having re-read the previous post, I realise I misinterpreted the answer. It is: the better (IMO) way of doing things will be coming to Jira at some point.

Like Chaim Paperman likes this
Francesco Consiglio
Francesco Consiglio June 4, 2021

@Steve Revill i believe you can't. The API Token will align to the user's privileges. And no, you're not the only one deprecating this risky feature. In fact, i just bumped into this.

Like Chaim Paperman likes this
Rob Verdon
Rob Verdon January 20, 2022

This is definitely a HUGE security concern. 
There is no reason you shouldn't be able to limit what API tokens have permission to. 

If an application becomes compromised and leaks the API Tokens, having full permissions to the Atlassian portal is a big risk. 

Like # people like this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events