Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Does Bitbucket support rotating HTTP access keys?

Dongliu
Dongliu April 10, 2024

I'm currently storing my Bitbucket HTTP access key in AWS Secrets Manager that is then pulled by Lambda functions to perform operations on the Bitbucket API. I need to be able to routinely rotate this access key - whether it be manually or programmatically.

Does the Bitbucket API offer an endpoint that allows me to generate a new access key from an existing access key? Or to generate refreshable access keys that come with refresh tokens?

Answer
Watch
Like Be the first to like this
404 views

1 answer

0 votes
Hariharan Iyer
Hariharan Iyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 10, 2024 edited

Hi @Dongliu ,

Unfortunately automatic rotation is not supported as of now. There is a ticket open for this already but from the comments it doesn't look like any work has gone into it.

 

Thanks,

Hariharan

View More Comments
Dongliu
Dongliu April 11, 2024 edited

Thanks for the response. That is unfortunate.

I do see that there exist endpoints to create access tokens under https://developer.atlassian.com/server/bitbucket/rest/v819/api-group-authentication/

These could be used as part of a rotation strategy.

Do you know what permission / authentication is required to make these API calls?

I attempted with a personal access token and got a 401 Unauthorized.

Like
Hariharan Iyer
Hariharan Iyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 11, 2024

I believe you will need the Admin permission level on the respective object (project or repository) to invoke that particular API.

Like
Dongliu
Dongliu April 11, 2024 edited

The HTTP personal access tokens - from my understanding - are just used to authenticate my user to the REST API and should replicate my account permissions.

When I visit, for example, the following URL in my browser logged into my account I get a 200 response : rest/access-tokens/latest/users/<user_slug>

When I use basic auth for the call, I also get a 200 response.

But when I use my generated HTTP access token to make that call, I get a 401 Unauthorized.

Am I misunderstanding the permissions that my personal access token has?

Like
Dongliu
Dongliu April 11, 2024

Do ignore me.

I just came across a section on your documentation:

  • You can't use a token to perform changes on behalf of a user (for example, create new tokens or update user account details).

 

Appears a token cannot be used to create a token. Also quite unfortunate.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.