Locking Down Your Bitbucket: SSH Keys, Access Tokens, and Permissions Explained
So, you’re using Bitbucket to manage your code – awesome! But are you making sure it’s secure? Leaving your Bitbucket repository exposed is like leaving your house unlocked. Luckily, there are some simple steps you can take to keep your codebase safe. Today, we’ll cover three key areas: SSH Keys, Access Tokens, and Permissions. Think of it as your Bitbucket security checklist.
1. SSH Keys: Your Key to the Kingdom (Without the Password)
Imagine typing your password every time you want to push code to Bitbucket. Annoying, right? That’s where SSH keys come in. They’re like a digital key that lets your computer access your Bitbucket account without constantly needing your password.
Why Use SSH Keys?
- Convenience: No more password prompts!
- Security: More secure than storing passwords (especially if they’re not strong).
- Automation: Essential for automated deployments and scripts.
How to Set Up SSH Keys:
The process involves two steps: generating a key pair on your computer and adding the public key to your Bitbucket account.
- Generating an SSH Key Pair: This is done using your terminal (Command Prompt on Windows, Terminal on macOS and Linux). The most common way is using the
ssh-keygencommand.ssh-keygen -t ed25519 -C "your_email@example.com"(Replace
your_email@example.comwith your actual email address.)The command will prompt you to choose a location to save the keys. The default location is usually fine. It will also ask for a passphrase. Adding a passphrase is highly recommended as it adds another layer of security. If someone steals your private key, they’ll still need the passphrase to use it.
- Adding the Public Key to Bitbucket: After generating the key pair, you’ll have two files:
id_ed25519(or similar): This is your private key. KEEP THIS SAFE and NEVER SHARE IT!id_ed25519.pub(or similar): This is your public key. This is what you’ll upload to Bitbucket.
Open the
.pubfile in a text editor and copy the entire contents. Then:- Log in to your Bitbucket account.
- Click on your profile avatar in the bottom left corner and select “Personal settings”.
- Go to “SSH keys” under the “Security” section.
- Click “Add key”.
- Give your key a label (e.g., “My Laptop”).
- Paste the public key content into the “Key” field.
- Click “Add key”.
Now, you should be able to push and pull code using SSH! Test it by cloning a repository using the SSH URL (starts with
git@bitbucket.org).
2. Access Tokens: Fine-Grained Control for Applications
Sometimes, you need to give an application or service access to your Bitbucket account. Sharing your password isn’t a good idea! That’s where access tokens come in.
What are Access Tokens?
Access tokens are like temporary passwords specifically for applications. You can grant them limited access to specific parts of your Bitbucket account, and revoke them at any time.
When to Use Access Tokens:
- CI/CD Pipelines: Giving your continuous integration system access to your repository to automatically build and test your code.
- Third-Party Tools: If you’re using a tool that integrates with Bitbucket.
- Automation Scripts: Scripts that need to interact with the Bitbucket API.
Creating an Access Token:
- Log in to your Bitbucket account.
- Click on your profile avatar in the bottom left corner and select “Personal settings”.
- Go to “App passwords” under the “Security” section.
- Click “Create app password”.
- Give your token a label (e.g., “CI/CD Pipeline”).
- Carefully select the permissions you want to grant. Only give the token the minimum permissions it needs. For example, if the application only needs to read your repository, don’t give it write access. Common permissions include:
readfor Repositories, Issues, Pull Requestswritefor Repositories, Issues, Pull Requests (use with caution!)accountread for user profile information.
- Click “Create”.
Important: Bitbucket will only show you the token once. Copy and store it securely! If you lose it, you’ll need to create a new one.
3. Permissions: Who Can See (and Change) Your Code?
Permissions are all about controlling who has access to your repositories.
Types of Bitbucket Permissions:
- Read: Users can view the repository and its contents.
- Write: Users can make changes to the repository (push code, create branches, etc.).
- Admin: Users have full control over the repository, including managing permissions, deleting the repository, etc.
Managing Permissions:
- For private repositories: You need to explicitly grant access to users or groups. Be mindful of who you grant write or admin access to.
- For public repositories: Anyone can view the code. Be extra careful not to accidentally commit sensitive information (like API keys or passwords). You can still control who can contribute to the repository by managing pull request approvals and branch permissions.
Best Practices for Permissions:
- Principle of Least Privilege: Grant users only the minimum permissions they need to perform their tasks.
- Use Groups: Instead of assigning permissions to individual users, create groups and assign permissions to the groups. This makes managing permissions much easier, especially as your team grows.
- Regularly Review Permissions: Periodically review who has access to your repositories and revoke access for users who no longer need it.
In Conclusion
Securing your Bitbucket account isn’t a one-time thing; it’s an ongoing process. By using SSH keys, access tokens, and carefully managing permissions, you can significantly reduce the risk of unauthorized access and keep your code safe. So, take a few minutes to review your settings and make sure your Bitbucket account is locked down! Your future self (and your team) will thank you.