Getting started
IntroductionInstalled packagesEnvironment variablesDebugging buildsCachingParallel testingDeployment pipelinesRunning commands as rootIgnoring commandsRun a command in case of an errorSetting timezoneAccess to other repositoriesUsing scriptsGit LFSUbuntu 20.04 Focal
IntroductionFTP/SSH/SFTP/RSYNCCustom scriptHerokuHeroku MigrationAWS Elastic BeanstalkAWS CodeDeployAWS LambdaAWS S3Google App EngineAWS CLIgcloud CLIAzure CLIDigital OceanEngine YardCapistranoGit PushCloudFoundryCloud66anynines
IntroductionBrowser testingBackground commandsGit submodulesCustom DNSArtifacts
IntroductionCassandraCouchDBDynamoDBMongoDBMySQLPostgreSQLSQLite
IntroductionDartElixirGoJava and JVMMeteorNode.jsPHPPythonRubyRust
IntroductionBeanstalkdRabbitMQRedis
IntroductionElasticsearchMemcachedSphinx
IntroductionCloudBees CodeShip Pro introduction guideCloudBees CodeShip Pro introduction guide 2CloudBees CodeShip Pro introduction guide 3CloudBees CodeShip Pro introduction guide 4CloudBees CodeShip Pro introduction guide 5
Migrating to CloudBees CodeShip Pro
Docker for CI/CD
Getting started with CloudBees CodeShip Pro overview and resources
IntroductionServices configSteps configEnvironment variablesImage registriesImage cachingBuild argumentsVolumesHandling secretsMultiple reposServices and databasesSetting an SSH private keyPreinstalled images
IntroductionInstallationUsing the Jet CLIjet cleanupjet decryptjet encryptjet generatejet loadjet runjet stepsjet updatejet validatejet version
IntroductionAWSAWS S3AWS EBAWS ECSAWS EKSAWS CodeDeployAzure Container ServiceHerokuGoogle CloudGoogle App EngineGoogle Cloud FunctionsGoogle Container EngineGoogle Compute EngineKubernetesTerraformDeploy Via SSHDocker SwarmIBM Cloud FoundryIBM Cloud Container Service
IntroductionBrowser testingParallel testing
IntroductionElixirGoJava and JVMNode.jsPHPPythonRuby
IntroductionCaching multi-stage DockerfileContainer is slow to exitDiffering results with Jet CLIDocker Hub rate limitingManaging multiple environments for a serviceReducing log output from dependent containersStep log not appearingUsing env vars in command steps

Permissions

1 minute read

To maintain secure and efficient workflows in CloudBees, it is essential to control access to resources by explicitly setting permission levels. Adhering to the Principle of Least Privilege (PoLP), ensure that the cloudbees.scm.token is granted only the minimum access necessary for each workflow or job.

Permissions can be configured at two levels:

  • Workflow level – Applies globally to all jobs within a workflow.

  • Job level – Applies solely to the specific job and overrides any workflow-level settings.

Each permission setting accepts a single scope entry, with none as the default value. It is recommended to regularly audit permission configurations to identify and remove all unnecessary or overly-permissive access, ensuring workflows remain secure and compliant.

Key Recommendations:

  • Explicitly define permission levels rather than relying on defaults.

  • Limit the cloudbees.scm.token to only the access it needs following PoLP.

  • Use job-level permissions for fine-grained access control when necessary.

  • Perform regular audits to eliminate unnecessary or excessive permissions.

For additional information and specific syntax examples, refer to the CloudBees DSL Syntax Permissions documentation.

Additional resources:

Scope and Permission Settings

Permission Key Allowed Values Description

scm-token-own

read, none

Grants access to the user-level SCM token.

scm-token-org

read none

Grants access to the organization-level SCM token.

id-token

write, none

Grants access to the OpenID Connect (OIDC) identity token.

Example Permissions Configuration

permissions:
  scm-token-own: read
  scm-token-org: none
  id-token: write
Test and Deploy Scripts
ECR and Private Images