Personal access tokens

Personal access tokens replace username and password authentication. They are a secure way to use scripts and integrate external applications with Bamboo. If an external system is compromised, you simply revoke the token instead of changing passwords, and consequently changing it in all scripts and integrations.

For added security, when you’re creating a token you can also set it to automatically expire. This is optional, but if your admin has made this a requirement you’ll need to select an expiry date that’s within the limits they’ve set. Once a token has been created, its expiry date can't be changed. You can see the expiry dates for all your tokens in the HTTP access tokens page list.

You can authenticate with personal access tokens to:

  • call REST APIs

  • download artifacts

  • download build and deployment logs

  • download agent installer

Using personal access tokens

To use a personal access token for authentication, you have to pass it as a bearer token in the Authorization header of a REST API call.

Here's an example of rest using a bearer token:

curl -H "Authorization: Bearer NDc4NDkyNDg3ODE3OstHYSeYC1UgXqRacSqvUbookcZk" http://localhost:8085/bamboo/rest/api/latest/plan/PROJ-PLAN 

Managing personal access tokens

To view and manage your personal access token in Bamboo:

  • Admins can't create tokens for users.
  • Admins can revoke tokens from Administration > Security > Users > {user_name} > Personal access tokens page.

Creating a token

  1. From the top navigation bar select your avatar, and select Profile.
  2. Select the Personal access tokens tab.
    Here you can view your existing tokens or create a new one.

  3. Select the Create token button.
  4. Give your token a name.
  5. Assign permissions to your token.

    Learn more about tokens' permissions...

    Permissions are set when creating a token and can't be modified later. By default, for security reasons, personal access tokens have read-only permissions:

    • Read-only permissions — the token will be only allowed to read data from Bamboo that you can normally view. It won’t be allowed to read data, that the associated user can't read.

    • Triggering permissions — the token will be able to start builds and deploy environments that you normally can run. It won’t be allowed to trigger builds or deployments that the associated user can't run.

    • Same as user — token will have the same set of permissions as you (i.e. edit or admin).

    It’s recommended that you assign the lowest possible set of permissions to the token. This way even if the token gets compromised, it will be possible to perform only a limited set of actions with it.

  6. Optionally, set an expiration date for your token.

    This step may be required if your system admin has made setting personal token expiration a requirement.

    Learn more about requiring personal access token expiration

  7. Record your token in a safe manner. For security reasons, the token value is shown only once. If you don’t record the token value or lose it you won’t be able to recover it and will have to create a new token.

  8. Select Finish.

Revoking a token

  1. From the top navigation bar select your avatar, and select Profile.
  2. Select the Personal access tokens tab.

  3. Hover over your token name.
    The revoke button appears on the right.

  4. Select Revoke.

  5. Select Confirm.



Last modified on Aug 7, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.