Onboard
Introduction
Users
Teams
Introduction
IntroductionPromote an image in Amazon ECRRetrieve an object from Amazon S3Store an object on Amazon S3Copy Docker images with CraneDownload a file from JFrog ArtifactoryMove or copy an image from JFrog ArtifactoryUpload a file to JFrog ArtifactoryGet artifact detailsManage artifact labelsRegister a build artifactRegister a deployed environment artifact
IntroductionCreate or update a functionInvoke a function
IntroductionRun an AWS CodePipelineRun a Bamboo projectRun a Bitbucket pipelineRun a CloudBees CI jobRun a CircleCI workflowRun a GitHub Actions workflowRun a GitLab pipelineRun a Harness pipelineRun a Jenkins® jobRun a JFrog pipelineBuild and publish Docker images with KanikoRun a TeamCity project
IntroductionMigrate from v1 to v2
IntroductionAWS credentialsECR credentialsEKS credentialsGit global credentialsOCI credentials
IntroductionRun Ansible PlaybookDeploy with Argo WorkflowsDeploy with AWS CodeDeployDeploy a binary with Amazon EC2Deploy to ECSRender an Amazon ECS task definitionDeploy with AWS Elastic BeanstalkDeploy with HerokuDeploy with OctopusDeploy with OpenShiftDeploy with SpinnakerDeploy with Tosca
Publish evidence items
Fetch secrets from CyberArk Conjur
IntroductionHelm chart installHelm chart packageHelm chart publishHelm chart uninstall
IntroductionCreate a Kubernetes namespaceCreate/update a Kubernetes resourceDeploy to a Kubernetes cluster
IntroductionVerify with NewRelic
Execute remote commands via SSH
IntroductionAnchoreAquasecJFrog XraySnyk ContainerSonatype (Nexus) ContainerTrivy
IntroductionStackhawkZAP
IntroductionCheckmarxCheckovCoverity on PolarisFind Security BugsGitHub Security ScannerGosecGrypeMendNexus IQnjsscanSnykSonarQube bundledSonarQube
IntroductionBlack DuckMendSnyk
IntroductionGitleaksTruffleHog ContainerTruffleHog CodeTruffleHog S3
IntroductionCreate a change requestUpdate or close a change requestGet a change request current stateQuery a change request approval
Publish test results
Multi-workflows dispatch
Introduction
Get started with feature flags
Create flags in code
Manage multiple SDK keys in your application
Create and manage flags in the UI
Namespaces and labels
Configure feature flags
Feature management custom roles
Flag approval requests and reviews
Audit history
Get started with configuration as code
Set up configuration as code
Configuration as code reference
Configuration-as-Code examples
Flag impressions and activity status
Flag health
Code references
Set up code references
Properties and custom properties
Target groups
Enabling secret mode
IntroductionAndroid / Android TV / Fire TVC/C++ (client-side)C/C++ (server-side)GoJavaJavaScript (browser) / Chromecast / TizenJavaScript SSR.NET/C#Node.jsiOS / tvOSPHPPythonReact NativeRuby
IntroductionClient-side AndroidClient-side C ClientClient-side C++ ClientClient-side JavaClient-side JavaScript (browser)Client-side .NET/C# clientClient-side Objective-CClient-side React NativeClient-side SwiftServer-side CServer-side C++Server-side GoServer-side JavaServer-side .NET/C#Server-side NodeJSServer-side PythonServer-side PHPServer-side RubyBoth client-side and server-side JavaScript SSR
IntroductionAndroid appAngular appDjango appGin appJava Spring Boot app.NET Core appReact appSwift iOS app

Bitbucket access tokens

2 minute read

Bitbucket Cloud supports three levels of access token for authenticating API and Git operations. CloudBees Unify can use any of these token types to connect to your Bitbucket Cloud repositories.

For instructions on configuring a Bitbucket integration in CloudBees Unify, refer to SCM integrations: Bitbucket.

Token types and hierarchy

Bitbucket Cloud access tokens follow a containment hierarchy:

  • Workspace access token (WAT): grants access to all projects and repositories in a workspace.

  • Project access token (PAT): grants access to all repositories in a single project.

    Project access token support has not been fully validated. Where possible, use a repository or workspace access token for production workflows.

  • Repository access token (RAT): grants access to a single repository.

The hierarchy is: Workspace > Project > Repository (broadest to narrowest scope).

Project and Workspace access tokens are a Bitbucket Cloud Premium feature. Bitbucket permits Standard plan customers to generate Repository access tokens only.

Which token type to use

Table 1. Token type by use case
Use case Recommended token type Notes

Single repository integration

Repository access token

One token per repository.

Multiple repositories in one project

Project access token

Supports repository:write scope. Suitable for workflows that need to commit workflow YAML.

Multiple repositories with full workflow support

Workspace access token

Supports all CloudBees Unify operations including committing workflow YAML files back to repositories.

Triggering Bitbucket Pipelines

Any token type

Requires pipeline:write scope, available on all three token types.

Required scopes

Table 2. Required Bitbucket scopes per CloudBees Unify operation
CloudBees Unify operation Required Bitbucket scope Repository token Project token Workspace token

Git checkout (clone)

repository (read)

Yes

Yes

Yes

SCM integration, commit workflow YAML

repository:write

Yes

Yes

Yes

Create webhooks

webhook

Yes

Yes

Yes

Run a Bitbucket pipeline

pipeline:write

Yes

Yes

Yes
Project access tokens support repository:write as of February 2023. All three token types can be used for workflows that commit YAML back to repositories.

Workspace field

When you configure a Bitbucket integration with a Project or Workspace access token, you must provide the Workspace slug in the integration form. The workspace slug is the value that appears in your Bitbucket URL: https://bitbucket.org/<workspace-slug>.

For existing integrations that have already onboarded at least one repository, the workspace is auto-populated by the hourly repository sync process. No manual action is required for these integrations.

Token expiration

Bitbucket access tokens have a configurable expiration date. Set an expiration date that aligns with your organization’s security policies. To rotate a token, create a new token in Bitbucket with the same scopes and update the corresponding CloudBees Unify secret.

SCM permissions