How to run an Elastic Agent on Windows with Elevated Privileges
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
The instructions in this KB article are provided "as-is" and on a best-effort basis. Atlassian can't be held accountable for any misuse of the instructions on this page. It is up to each customer to decide on the security best practices to apply. We advise customers to reach out to their Security team before applying any of the instructions outlined in this article.
Summary
This article explains how to run a Bamboo Elastic Agent instance on Windows with Elevated Privileges.
Environment
- Bamboo Data Center
- Elastic Agents running on Windows
- Elevated privileges / Administrator access
Diagnosis
When attempting to run builds that contain commands that require elevated privileges, such as Windows's sc.exe, the Job fails with a permission denied error.
Cause
The Bamboo Elastic Agents Windows stock images come with security configurations that adhere to best practices, including User Account Control (UAC) and least-privilege policies. By default, the local "Bamboo" account, which the Elastic Agent uses to perform tasks, is set with standard user permissions and does not have elevated privileges. This security measure is intended to minimize the risk of unintended changes to the system and ensure a secure operating environment.
However, certain operations, such as executing administrative commands like "sc.exe" to manage Windows services, require elevated privileges that are not granted to the default "Bamboo" account. To enable the Elastic Agent to perform these tasks, it is necessary to modify the configuration of the Elastic Agent image. Specifically, UAC must be disabled and the "Bamboo" account needs to be added to the "Administrators" group, granting it the necessary permissions to run commands and perform actions that require administrative access.
Solution
This solution is tested on Bamboo Windows Stock images. Customers are also free to create a custom Elastic image (not supported).
Create a new Elastic Image Configuration
Disabling UAC and adding the "Bamboo" user account to Windows's Administrators group is necessary. Follow the instructions below to add an Instance Startup Script that will do that.
The Instance Startup Script instructions will require an additional restart of the EC2 instance. This may slightly impact the instance startup times.
- Go to Bamboo Administration → Image Configurations
- Fill in the "Elastic image configuration details" form with your regular Image details and submit; if you already have an Image configuration you want to use, you can skip this step
- Edit the new Image configuration by locating it and clicking on Edit
Under Instance startup script add the following content:
Instance Startup Script@echo off :: Check UAC status using PowerShell for /f "tokens=*" %%i in ('powershell.exe -command "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' | Select-Object -ExpandProperty EnableLUA"') do ( set UACStatus=%%i ) :: Check if UAC is enabled (1) or disabled (0) if "%UACStatus%"=="1" ( echo UAC is enabled. Disabling UAC... :: Disable UAC using PowerShell powershell.exe -command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 0" :: Restart the machine echo Restarting the machine... shutdown /r /t 0 ) else ( echo UAC is already disabled. No action needed. ) powershell.exe -NoProfile -Command ^ "Add-LocalGroupMember -Group 'Administrators' -Member 'bamboo'"- Save the Image configuration
Associate your Jobs, Plans and Projects with the new Image Configuration
Please create a separate Elastic Image configuration for that purpose and dedicate it to specific jobs that require elevated privileges. This mitigates the possibility of the image being used generally by ordinary builds that don't require such privileges.
- Go to Bamboo Administration → Image Configurations
- Locate your image configuration and click on its name
- Click on Dedicate image
- Follow the menus to dedicate the image configuration only to your pipeline components (Job, Plan or Project) which have a hard requirement on elevated privileges
- Save the settings
Testing the solution
Here's an sample Script Task in a Job that can be used to test if the configuration is successful:
sc query spooler
sc stop spooler
sleep 3
sc query spooler
sc start spooler
sleep 3
sc query spoolerYou should expect the following logs after execution:
build 22-Nov-2024 00:37:36 C:\build\BAM-WIN-JOB1>sc query spooler
build 22-Nov-2024 00:37:36
build 22-Nov-2024 00:37:36 SERVICE_NAME: spooler
build 22-Nov-2024 00:37:36 TYPE : 110 WIN32_OWN_PROCESS (interactive)
build 22-Nov-2024 00:37:36 STATE : 4 RUNNING
build 22-Nov-2024 00:37:36 (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
build 22-Nov-2024 00:37:36 WIN32_EXIT_CODE : 0 (0x0)
build 22-Nov-2024 00:37:36 SERVICE_EXIT_CODE : 0 (0x0)
build 22-Nov-2024 00:37:36 CHECKPOINT : 0x0
build 22-Nov-2024 00:37:36 WAIT_HINT : 0x0
build 22-Nov-2024 00:37:36
build 22-Nov-2024 00:37:36 C:\build\BAM-WIN-JOB1>sc stop spooler
build 22-Nov-2024 00:37:36
build 22-Nov-2024 00:37:36 SERVICE_NAME: spooler
build 22-Nov-2024 00:37:36 TYPE : 110 WIN32_OWN_PROCESS (interactive)
build 22-Nov-2024 00:37:36 STATE : 3 STOP_PENDING
build 22-Nov-2024 00:37:36 (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
build 22-Nov-2024 00:37:36 WIN32_EXIT_CODE : 0 (0x0)
build 22-Nov-2024 00:37:36 SERVICE_EXIT_CODE : 0 (0x0)
build 22-Nov-2024 00:37:36 CHECKPOINT : 0x3
build 22-Nov-2024 00:37:36 WAIT_HINT : 0x4e20
build 22-Nov-2024 00:37:36
build 22-Nov-2024 00:37:36 C:\build\BAM-WIN-JOB1>sleep 3
build 22-Nov-2024 00:37:39
build 22-Nov-2024 00:37:39 C:\build\BAM-WIN-JOB1>sc query spooler
build 22-Nov-2024 00:37:39
build 22-Nov-2024 00:37:39 SERVICE_NAME: spooler
build 22-Nov-2024 00:37:39 TYPE : 110 WIN32_OWN_PROCESS (interactive)
build 22-Nov-2024 00:37:39 STATE : 1 STOPPED
build 22-Nov-2024 00:37:39 WIN32_EXIT_CODE : 0 (0x0)
build 22-Nov-2024 00:37:39 SERVICE_EXIT_CODE : 0 (0x0)
build 22-Nov-2024 00:37:39 CHECKPOINT : 0x0
build 22-Nov-2024 00:37:39 WAIT_HINT : 0x0
build 22-Nov-2024 00:37:39
build 22-Nov-2024 00:37:39 C:\build\BAM-WIN-JOB1>sc start spooler
build 22-Nov-2024 00:37:39
build 22-Nov-2024 00:37:39 SERVICE_NAME: spooler
build 22-Nov-2024 00:37:39 TYPE : 110 WIN32_OWN_PROCESS (interactive)
build 22-Nov-2024 00:37:39 STATE : 2 START_PENDING
build 22-Nov-2024 00:37:39 (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
build 22-Nov-2024 00:37:39 WIN32_EXIT_CODE : 0 (0x0)
build 22-Nov-2024 00:37:39 SERVICE_EXIT_CODE : 0 (0x0)
build 22-Nov-2024 00:37:39 CHECKPOINT : 0x0
build 22-Nov-2024 00:37:39 WAIT_HINT : 0x7d0
build 22-Nov-2024 00:37:39 PID : 2872
build 22-Nov-2024 00:37:39 FLAGS :
build 22-Nov-2024 00:37:39
build 22-Nov-2024 00:37:39 C:\build\BAM-WIN-JOB1>sleep 3
build 22-Nov-2024 00:37:42
build 22-Nov-2024 00:37:42 C:\build\BAM-WIN-JOB1>sc query spooler
build 22-Nov-2024 00:37:42
build 22-Nov-2024 00:37:42 SERVICE_NAME: spooler
build 22-Nov-2024 00:37:42 TYPE : 110 WIN32_OWN_PROCESS (interactive)
build 22-Nov-2024 00:37:42 STATE : 4 RUNNING
build 22-Nov-2024 00:37:42 (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
build 22-Nov-2024 00:37:42 WIN32_EXIT_CODE : 0 (0x0)
build 22-Nov-2024 00:37:42 SERVICE_EXIT_CODE : 0 (0x0)
build 22-Nov-2024 00:37:42 CHECKPOINT : 0x0
build 22-Nov-2024 00:37:42 WAIT_HINT : 0x0
simple 22-Nov-2024 00:37:42 Finished task 'Stop Spooler' with result: Success
simple 22-Nov-2024 00:37:42 Running post build plugin 'Docker Container Cleanup'
simple 22-Nov-2024 00:37:42 Running post build plugin 'NCover Results Collector'
simple 22-Nov-2024 00:37:42 Running post build plugin 'Build Results Label Collector'
simple 22-Nov-2024 00:37:42 Running post build plugin 'Clover Results Collector'
simple 22-Nov-2024 00:37:42 Running post build plugin 'npm Cache Cleanup'
simple 22-Nov-2024 00:37:42 Running post build plugin 'Artifact Copier'
simple 22-Nov-2024 00:37:42 Finalising the build...
simple 22-Nov-2024 00:37:42 Stopping timer.
simple 22-Nov-2024 00:37:42 Build BAM-WIN-JOB1-22 completed.