Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Bitbucket Pipelines SSH Key – Unexpected Source IPs Not in Allowlist Document

Ali Dogan
Ali Dogan
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 11, 2025

Hello,

We're attempting to deploy code on Bitbucket Cloud using Pipelines. As a security measure, we plan to authenticate via SSH key pairs instead of using credentials.

We're currently facing an issue with IP whitelisting. We're following the guidance provided in this document:

IP addresses and domains to allowlist in your corporate firewall | Bitbucket Cloud | Atlassian Support

However, when we monitor the incoming traffic — specifically after clicking the "Fetch" button in the Bitbucket UI — we observe that the source IP of the SSH connection is not listed in the IP ranges provided in the official document. Instead, it appears to come from an AWS IP address.

Could you clarify:

Is the document outdated or missing entries?

Are we possibly referring to the wrong documentation for SSH-based interactions from Bitbucket Pipelines?

Any guidance would be appreciated.
Ali

Answer
Watch
Like Be the first to like this
80 views

1 answer

0 votes
Ben
Ben
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
June 12, 2025

Hi Ali,

As per the documentation you've linked (Valid IP addresses for Bitbucket Pipelines build environments heading):

The servers that execute all steps on Atlassian Cloud Infrastructure, are hosted on Amazon Web Services (AWS).

An exhaustive list of IP addresses that the traffic may come from on AWS can be found by using the following endpoint, filtering to records where the service equals EC2 or S3, and using the us-east-1 and us-west-2 regions. We do not recommend using these IP ranges as a security control.

If you prefer to use a more limited or narrowed IP range, you should utilize the atlassian-ip-ranges that are available in the new larger instances (4x and above).

As a reminder, Atlassian does not recommend configuring IP-based firewalls as the only mechanism to protect access to your infrastructure. As an example In addition to IP-based firewall rules, you should also use a secure means of authentication for any services exposed to Bitbucket Pipelines (e.g., by using OIDC).

 If you still require further assistance  - please raise a support ticket directly with our team, as we will need to check your Pipelines Build YML and build logs for further information to assist you:

Cheers!

- Ben (Bitbucket Cloud Support)

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
PREMIUM
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.