Using Bitbucket Auth for Concourse Teams

All pipelines and resources in Concourse belong to a "team". Concourse supports different authentication mechanisms for allowing users to log in to these teams and manipulate these resources. When we just started out with Concourse, we configured a simple "dev" using basic auth and shared the password using pass.

As our engineering team at meshcloud grows (we\’re hiring!), we wanted to switch to external authentication that integrates with the rest of our infrastructure. Since we we\’re already using the Google Suite for office work like slides and docs, using Google OAuth and Concourse\’s generic OAuth provider was a natural first choice but ultimately lacked support for restricting permissions to users from our domain only.

Bitbucket Auth in Concourse 3.7

When Concourse 3.7 rolled around and offered a new Authentication Provider for Bitbucket Cloud, we we\’re really excited. We\’re already using Bitbucket for hosting some of our repos and developers are logged into their Bitbucket accounts all day anyway, so this would make for a seemless experience.

Unfortunately we couldn\’t find any info on how to set it up in the Concourse teams documentation. Turns out this wasn\’t a big deal, here\’s what the fly set-team command tells us to do:

Bitbucket Cloud Authentication:
--bitbucket-cloud-auth-client-id= Application client ID for enabling Bitbucket OAuth
--bitbucket-cloud-auth-client-secret= Application client secret for enabling Bitbucket OAuth
--bitbucket-cloud-auth-user=USER Bitbucket users that are allowed to log in
--bitbucket-cloud-auth-team=TEAM[:ROLE] Bitbucket teams which members are allowed to log in
--bitbucket-cloud-auth-repository=OWNER/REPO Bitbucket repositories whose members are allowed to log in
--bitbucket-cloud-auth-auth-url= Override default endpoint AuthURL for Bitbucket Cloud
--bitbucket-cloud-auth-token-url= Override default endpoint TokenURL for Bitbucket Cloud
--bitbucket-cloud-auth-api-url= Override default API endpoint URL for Bitbucket Cloud

Setting up an OAuth Consumer for Concourse

The first thing we need to do is set up an OAuth Consumer for Concourse in Bitbucket from the Bitbucket Team Settings page. This consumer needs to have permission to read Account, Team Membership and Repository information. You may hit a slight road-bump figuring out the correct redirect URL to allow, but since that\’s passed from Concourse on the first (unsuccessful) redirect, we can figure out that it is https://myconcourse.domain/auth/bitbucket-cloud/callback.

Bitbucket OAuth Consumer for Concourse CI[/caption]

After creating the consumer, you should also see its client id and client secret in the Bitbucket settings. The next thing we wanted to do is to grant all users in a specific group on our Bitbucket Team access to Concourse using --bitbucket-cloud-auth-team=meshcloud:developers. However, it turns out that "role" and "group" are different concepts and this attempt leads to an error:

error: invalid argument for flag `--bitbucket-cloud-auth-team' (expected []cloud.TeamConfig): unknown role in Bitbucket team specification: 'developers'

A quick look at the source code reveals that the only roles possible are member, contributor and admin.

No problem, we can also provision the group on a repository and have Concourse check whether the user has access to this repository before granting access to the Concourse team. Here\’s the full command to enable Bitbucket auth on the dev team for all users that have access to the myorg/myrepo repository:

fly -t ci set-team -n dev --bitbucket-cloud-auth-client-id=xxx --bitbucket-cloud-auth-client-secret=xxx --bitbucket-cloud-auth-repository=myorg/myrepo`

That’s it, now we can log in to Concourse using Bitbucket: