In my API testing automation framework, I'm using Bearer Token to validate the API. This token is in properties file. I cannot commit this property file on github as it contains api token. Can someone suggest how to use this API token when api testing framework will be invoked from jenkins it will take this git repo so how it will take the api access token(Bearer)?
How can I use api Bearer Token securely on github?
In your repository, you can store data as secrets, so they are not exposed to anyone by just viewing the repository.
Then you can use these secrets in a pipeline, for example as environment variables:
steps:
- name: Hello world
env:
super_secret: ${{ secrets.SuperSecret }}
So you code has to be able to work with environment variables.
Related
I'm using Bitbucket as a source control service and I'm interested to start using its pipelines capability to build and deploy my app. I'm using AWS CodeArtifact to host my Java artifacts.
The thing I'm struggle with is how to authenticate AWS CodeArtifact from the Bitbucket pipelines.
How to run
aws sso login --profile XXXX
export CODEARTIFACT_AUTH_TOKEN=`aws codeartifact get-authorization-token ....
Is there a best practice to deal with this??
I think the exportation of the CODEARTIFACT_AUTH_TOKEN env var is quite fine. For the first authentication to AWS, you probably want to take a look into Bitbucket OIDC capabilities:
https://bitbucket.org/blog/bitbucket-pipelines-and-openid-connect-no-more-secret-management
https://support.atlassian.com/bitbucket-cloud/docs/deploy-on-aws-using-bitbucket-pipelines-openid-connect/
Essentially, setting up an identity provider in you AWS account that will let your pipelines assume a role by just declaring
- step:
name: My pipeline
oidc: true
...
(also exporting an AWS_ROLE_ARN somewhere)
Identities and the assumed roles can be set up to granular clearance levels per repository, deployment stage, etc
Setting up an OIDC identity provider can be cumbersome. You might be interested in giving https://registry.terraform.io/modules/calidae/bitbucket-oidc/aws/latest a look, even if you weren't using terraform.
I am using the Azure Devops CLI on one of my pipelines. In order to use the CLI I need first login (authenticate). Unlike using the REST API, I can't use the OAuth token that is available to me.
So here's my understanding of my options:
I can do an "az login" using a PAT that I map to this environment variable:
AZURE_DEVOPS_EXT_PAT
THIS IS THE WAY I'm doing it now.
Apparently you can use a Service Principal. I like this the most because I should theoretically be able to have this principal apply to everyone on my team. Is that correct?
Use "az login" with a user/password. This is least desirable way to doing it because it involves passing around credentials. Too messy.
Although my pipeline has the OAuth token expost (System.AccessToken), it cannot be use by the CLI. For example is I try to assign the value of the OAuth token to the AZURE_DEVOPS_EXT_PAT it fails (AZURE_DEVOPS_EXT_PAT=$System.AccessToken).
Questions:
Is it possible to use the OAuth token to log in to the CLI?
Is the Service Principal the best way to go?
Additional Info:
I do not have subscriptions only a tenant-id, we're not creating any Azure resources, we're an AWS shop that happens to be using ADO only for CICD.
Use az devops login instead of az login
From your pipeline use:
- script: echo $(AccessToken) | az devops login
env:
AccessToken: $(System.AccessToken)
Few interesting notes:
Secrets (like System.AccessToken) are available to scripts unless you pass them in explicitly as environment variables
the System.AccessToken variable is the default access token of the build agent
there is a project-specific build agent and a project-collection build agent. The one you use is actually controlled by the 'limit access to current project scope' flag in the Pipeline settings for the project.
you may need to elevate permissions for the build agent if you're trying to manipulate objects. For example, you could grant the Create Tag permission on a repository if you wanted the build agent to update the repository.
you can also create your own PAT token with permissions that you specify.
I am writing a bash script which will take a backup of my all bitbucket cloud repositories.
I have multiple private repositories in bitbucket and I want to list them using Bitbucket API 2.0
I have tried adding Bitbucket consumer but I am stuck at how to create an access token and used in curl command which gives me a list of all private repositories
Can someone please let me know about Auth generation in Bitbucket and How to generate an access token and pass it to bitbucket API?
I've got a webhook setup in GitLab to detect whenever changes are pushed to the project repo. This works as needed, however the URL in use contains my Jenkins credentials and I'd like to make this more secure. e.g.:
https://username:password#jenkins.url.com/project/git-project
Is there a way to generate a token of sorts in Jenkins instead of providing my username and password?
There are access tokens in GitLab, you can use it. From Jenkins part, you can install GitLab plugin and then add new credentials for SSH and GitLab API Token. Please see this and this for more details.
I want to automate the Artifactory release and staging in jenkins job.
I got this curl command,
curl -X GET "http://localhost:9090/job/artifactory-8.0-release/artifactory/staging?
it is working fine, but it is asking for authentication. When i do automate, i need to call this only using token not with user credentials.
please help.
There are several ways to use tokens for authentication.
Basic Authentication
curl -u<USERNAME>:<TOKEN> http://ARTIFACTORY_URL/api/system/ping
Authorization Headers
curl -H"Authorization: Bearer <TOKEN>" http://ARTIFACTORY_URL/api/system/ping
Source: JFrog Artifactory documenation page 'Access Tokens'