Where SSH keys are stored in Bitbucket Server when a new repository is linked to Bamboo
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
If you have Bamboo integrated with Bitbucket Server via Application links and link a new repository to Bamboo using the "Bitbucket Server" repository type, an SSH key pair is automatically generated. The private key is stored encrypted inside the Bamboo database and the public key is sent to Bitbucket via the integration. Depending on the permissions the user that was used to authorize the connection has for the repository in Bitbucket, the keys will be stored in different places.
Solution
For repository admins:
An SSH access key for system use will be added to the repository. As this key will not be tied to any specific user in Bitbucket, even If the user used to create it gets deleted later on in Bitbucket, the repository will still work in Bamboo. If you want to revoke access to the repository, the key will need to be manually removed from Bitbucket.
For non-admin accounts:
If the user that added the repository to Bamboo has only "write" permissions to the repository in Bitbucket, the public key will be added to his profile (a new key for every new repository they link). If this user gets deleted in Bitbucket, all checkout tasks from plans using this repository configuration in Bamboo will stop working, requiring the linked repository to be re-saved in Bamboo so a new SSH key pair can be generated.
