Just a heads up: On March 24, 2025, starting at 4:30pm CDT / 19:30 UTC, the site will be undergoing scheduled maintenance for a few hours. During this time, the site might be unavailable for a short while. Thanks for your patience.

×
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Does Bitbucket support rotating HTTP access keys?

Dongliu
Dongliu April 10, 2024

I'm currently storing my Bitbucket HTTP access key in AWS Secrets Manager that is then pulled by Lambda functions to perform operations on the Bitbucket API. I need to be able to routinely rotate this access key - whether it be manually or programmatically.

Does the Bitbucket API offer an endpoint that allows me to generate a new access key from an existing access key? Or to generate refreshable access keys that come with refresh tokens?

Answer
Watch
Like Be the first to like this
401 views

1 answer

0 votes
Hariharan Iyer
Hariharan Iyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 10, 2024 edited

Hi @Dongliu ,

Unfortunately automatic rotation is not supported as of now. There is a ticket open for this already but from the comments it doesn't look like any work has gone into it.

 

Thanks,

Hariharan

View More Comments
Dongliu
Dongliu April 11, 2024 edited

Thanks for the response. That is unfortunate.

I do see that there exist endpoints to create access tokens under https://developer.atlassian.com/server/bitbucket/rest/v819/api-group-authentication/

These could be used as part of a rotation strategy.

Do you know what permission / authentication is required to make these API calls?

I attempted with a personal access token and got a 401 Unauthorized.

Like
Hariharan Iyer
Hariharan Iyer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 11, 2024

I believe you will need the Admin permission level on the respective object (project or repository) to invoke that particular API.

Like
Dongliu
Dongliu April 11, 2024 edited

The HTTP personal access tokens - from my understanding - are just used to authenticate my user to the REST API and should replicate my account permissions.

When I visit, for example, the following URL in my browser logged into my account I get a 200 response : rest/access-tokens/latest/users/<user_slug>

When I use basic auth for the call, I also get a 200 response.

But when I use my generated HTTP access token to make that call, I get a 401 Unauthorized.

Am I misunderstanding the permissions that my personal access token has?

Like
Dongliu
Dongliu April 11, 2024

Do ignore me.

I just came across a section on your documentation:

  • You can't use a token to perform changes on behalf of a user (for example, create new tokens or update user account details).

 

Appears a token cannot be used to create a token. Also quite unfortunate.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
atlassian, atlassian government cloud, fedramp, webinar, register for webinar, atlassian cloud webinar, fedramp moderate offering, work faster with cloud

Unlocking the future with Atlassian Government Cloud ☁️

Atlassian Government Cloud has achieved FedRAMP Authorization at the Moderate level! Join our webinar to learn how you can accelerate mission success and move work forward faster in cloud, all while ensuring your critical data is secure.

Register Now
AUG Leaders

Upcoming Bitbucket Events