Configure Bitbucket with HashiCorp Vault
HashiCorp Vault is a secrets management platform that helps you store, access, and manage sensitive data. Bitbucket now supports Vault as a secure storage option for your product configuration file.
Supported engines
- We only support retrieving the most recent version of a secret. 
 
Supported authentication
How to set up Vault
The steps below assume you already have a Hashicorp Vault instance running. For more details, see the Hashicorp Vault documentation.
To configure Bitbucket to work with HashiCorp Vault:
- Create a secret in your HashiCorp Vault instance. 
- Create a policy with permission to read your secret. 
- Authenticate Bitbucket with Vault. 
- Add the Vault configuration data to the - <home-directory>/shared/bitbucket.propertiesfile.
Important
It's quite common for Vault deployments to have a KV V2 Secret Engine enabled under the secret  mount. If you are using a different Vault deployment, please see the HashiCorp documentation for enabling a new KV V2 Secret Engine:
https://developer.hashicorp.com/vault/docs/secrets/kv/kv-v2
These steps are explained in more detail below.
Step 1: Create a secret in your HashiCorp Vault instance
If you haven’t created a secret in the KV V2 Secret Engine of your Vault instance before, take a look at the Hashicorp Vault documentation for more information.
This secret must contain a single value for your product configuration file.
Step 2: Create a policy with permission to read your secret
If you need detailed instructions on creating a policy in Vault, see the Hashicorp Vault documentation. The details below provide additional information from the Bitbucket perspective.
To retrieve your secret from the Vault, Bitbucket must have a policy with the read permission.
Below is a sample Vault policy with permission to read a secret in the KV V2 Secret Engine.
path "secret/data/sample/secret" {
  capabilities = ["read"]
}In the sample path above, there are three components:
| Component | Description | 
|---|---|
| 
 | This is where the KV V2 Secret Engine is mounted. | 
| 
 | This prefix indicates this is a KV V2 secret. | 
| 
 | This is the path that contains this secret. | 
If the previous policy is located in ./sample_policy.hcl, this command will create the policy on the server:
vault policy write sample_policy ./sample_policy.hclStep 3: Authenticate Bitbucket with Vault
You can choose to authenticate with a token, or, if you’re using a Kubernetes environment, with the Kubernetes auth method. Both methods are described below.
Authenticate with a token
The information below assumes you’re familiar with creating a Vault token. Refer to the HashiCorp Vault documentation for more information and token options.
- Create a new token using the command: - vault token create -policy=sample_policy
- To confirm that your token and policy allow access to the secret, run the commands: - export VAULT_TOKEN=<YOUR_TOKEN> vault kv get -mount=secret sample/secret
- You should see the following output: - ====== Secret Path ====== secret/data/sample/secret ======= Metadata ======= Key Value --- ----- ~~~~ ~~~~~ ====== Data ====== Key Value --- ----- ~~~~ ~~~~~- If you don’t see the output above, refer to the Hashicorp documentation to troubleshoot the issue. 
 To complete the process, an environment variable associated with the token must be present on Bitbucket.
- Define the environment variable - SECRET_STORE_VAULT_TOKENin the context of the Bitbucket instance. A simple way to do this is to add the following line to the- ~/.bashrcfile for the user running Bitbucket:- export SECRET_STORE_VAULT_TOKEN=<YOUR_TOKEN>
Authenticate using Kubernetes Service Account Token
If Bitbucket is operating within a Kubernetes environment, you can leverage the Kubernetes auth method. This method uses a Kubernetes Service Account Token to confirm the identity of the pod that runs Bitbucket and to grant the appropriate access.
Refer to the Hashicorp Vault documentation for more information on how to set up Kubernetes auth method in your Vault instance. Make sure you have enabled Kubernetes auth method on your Vault server before you start the steps below.
You will also need to set some environment variables in the following steps. The table below describes these.
| Environment variable | Description | 
|---|---|
| 
 | The name of the role defined in Vault that’s attached to Kubernetes auth method. | 
| 
 | The path defined in Kubernetes auth method. The default value is: | 
| 
 | The location of the Service Account Token file in the pod for Bitbucket. The default value is:  | 
- If you used custom path to create a Kubernetes auth method, replace - kubernetesin the CLI command in the following step with your path name.
- Define a role to link the auth method with the - sample_policyyou created with the following command:- vault write auth/kubernetes/role/<YOUR_NEW_ROLE_NAME> \ bound_service_account_names=<YOUR_PRODUCT_SERVICE_ACCOUNT_NAME> \ bound_service_account_namespaces=<YOUR_PRODUCT_SERVICE_NAMESPACE> \ policies=sample_policy
- Ensure that your Bitbucket pod has access to the secret. 
 Currently, Vault CLI doesn’t offer support for logging in with Kubernetes auth method, but you can log in to retrieve client token using HTTP API and then use this generated token to test for access.
- If you can’t retrieve the secret with the generated token, refer to Hashicorp’s documentation to troubleshoot the issue. 
- Refer to the table at the start of these steps to set the following environment variables for Bitbucket: 
- SECRET_STORE_VAULT_KUBE_AUTH_ROLE
- SECRET_STORE_VAULT_KUBE_AUTH_PATH(optional)
- SECRET_STORE_VAULT_KUBE_AUTH_JWT_PATH(optional)
If there are any problems with your configurations, (for example, the secret is not accessible with the authentication token), Bitbucket won’t start. Check the log file launcher.log for any related error messages.
Step 4: Add the Vault configuration data to bitbucket.properties
Vault is configured via a JSON object that is added to the <home-directory>/shared/bitbucket.properties file. The JSON configuration object has a number of fields. Make sure you refer to the following table for details on each of these properties.
We highly recommend that all your Vault instances use HTTPS to further improve security.
| Field | Required? | Description | 
|---|---|---|
| 
 | Required | The KV V2 Secret Engine mount path. | 
| 
 | Required | The secret path. | 
| 
 | Required | The key name. | 
| 
 | Required | The base URL of your Vault instance. This accepts both HTTP and HTTPS. We highly recommend you always use HTTPS. Omit the trailing slash, if your URL has one. | 
| 
 | Optional | The type of authentication you wish to use. Supported options are  The default is  | 
- In the Bitbucket home directory, back up the b - itbucket.propertiesfile. Move the backup file to a safe place outside of your Bitbucket server.
- In the b - itbucket.propertiesfile, add or modify the- encrypted-property.cipher.classnameproperty to contain:- com.atlassian.secrets.store.vault.VaultSecretStore
- In the b - itbucket.propertiesfile, add or modify the- jdbc.passwordproperty to contain your JSON configuration object. Use the table at the start of these steps for further information on these fields.
 Here is an example of how it might look:- {ENC}{"mount": "secret", "path": "sample/secret", "key": "password", "endpoint": "https://127.0.0.1:8200"}
- Restart Bitbucket