I'm GCP project owner and trying to connect a BitBucket repo as mirror in Cloud Source Repos. Also have a Cloud Build trigger based on a BitBucket repo.
In Cloud Source Repositories, after granting access to my account, while configuring a mirror, no repositories from BitBucket appear and the following is displayed:
The Bitbucket account [username] doesn't have access to any
Bitbucket repositories. You will need to grant this account permission
to repositories in Bitbucket before you can connect them.
In Cloud Build triggers, after the grant permissions dialog, Select repository lists no BitBucket repos and the Continue button is greyed out.
This error message will appear if your Bitbucket account only has Read or Write access to the repository you want to mirror. Check that you have Admin access on Bitbucket and try again. Also, make sure you're logged into the right Bitbucket account when attempting to make the connection.
Related
I am trying to build CICD using cloud build in GCP. As a part of that, I am trying to mirror the repositories from Bitbucket into CSR. But I am not able to mirror the repositories. I am able to view the repositories that are present in the Bitbucket after authorizing to bitbucket from GCP.
https://cloud.google.com/build/docs/automating-builds/create-manage-triggers
https://cloud.google.com/source-repositories/docs/mirroring-a-bitbucket-repository
IAM Permissions:
I have Admin access for Source Repositories in GCP along with Cloud Build Service Account.
I have Admin access for the bitbucket repository and the workspace. The workspace in bitbucket is private.
Per the Cloud Source Repositories
If you are mirroring your Bitbucket repository to Cloud Source
Repositories to integrate with Cloud Build and do not need any other
Cloud Source Repositories features, follow the Cloud Build
instructions on building repositories from Bitbucket Cloud instead.
The referenced guide, Building repositories from Bitbucket Cloud, mentions that you need to create an SSH key in order to authenticate your connection to Bitbucket Cloud.
Bitbucket documenentation also confirms that the connection fails if there is no SSH key.
I have learned that the repositories in the Bitbucket are in Private Workspace and are IP restricted. So adding a set of Google Cloud's Public IPs solved this issue.
I'm using GCP build triggers connected to Bitbucket repositories. The connection is made using user credentials. Bitbucket has announced they're ending support for account password usage:
Beginning March 1, 2022, Bitbucket users will no longer be able to use
their Atlassian account password when using Basic authentication with
the Bitbucket API or Git over HTTPS. For security reasons, we require
all users to use Bitbucket app passwords.
Problem is, when trying to connect to a repository in GCP, the only option to supply Bitbucket credentials is via a web login (which to the point of app passwords, you cannot login via the bitbucket.org with an app password).
GCP Bitbucket login prompt via bitbucket.org
Expected behavior: GCP provides an option to submit app password credentials when connecting to a Bitbucket repository.
I followed directions for GCP Cloud Build integration with Bitbucket Cloud and successfully built out a functioning trigger for my repository here. I only built the trigger in GCP and used the generated webhook URL when creating the webhook in Bitbucket: I didn't create SSH keys, nor is my cloudbuild.yaml entirely valid - so the builds are failing.
Access to the Bitbucket repository was provided through GCP GUI in Cloud Build.
I have been informed of this change as well. I am trying to understand the scope of the change and its impact. It states that you cannot log in Atlassian account and password. However, besides using app passwords, you can also log in using OAuth2. https://developer.atlassian.com/cloud/bitbucket/oauth-2/
In the case of GCP Build Triggers, when I first set up the Bitbucket repository to connect to, I need to go through the "Authorization Code Grant" flow and acknowledge what access I am granting to Google Cloud Source Repository. If you check the Bitbucket API endpoints being called, they are URLs that are being used for "Authorization Code Grant" flow.
Based on these findings, am I right to say that there is no necessity to change existing triggers or mirrored repositories on GCP since they are using OAuth2 in the first place instead of Atlassian accounts and passwords?
If you can setup the build trigger to be done by a webhook you can configure the build with ssh key. But if you have to configure it as a manual trigger then using the bitbucket login credentials is the only option. Personally, I don't like this config with user login though.
The only good thing is even now(after bitbucket stopped supporting the login credentials for code checkout) the code checkout in GCP is working fine.
I am trying to set up a cloud build trigger from a public github repository with the Cloud Build GitHub App. I installed the app on my repository and authorized it but when I was redirected to GCP to connect the repository to a project this error message came up:
Failed to retrieve GitHub repositories.
The caller does not have permission
error
I suspect it may have something to do with having two factor authentication enabled on my github account, which I need for an organization.
I was able to mirror the same github repository from cloud source repositories without any issues though. I am the owner of the repository and gcp project.
*edit
Looks like the issue is due to having 2 factor authentication enabled on my github account. I disabled it and cloud build was able to connect with my repository. However I will need to have 2 factor enabled as my github organization requires it.
*edit
I hadn't mentioned the github organization i was part of had an ip whitelist configured on top of requiring 2 factor auth. I left the organization and reenabled 2 factor auth and cloud build was able to connect to my repo. Not sure why I would get the original issue if the repo is not in the github organization.
After looking more into this problem you either need to add GCE IP address ranges to the github organization IP whitelist https://cloud.google.com/compute/docs/faq#find_ip_range or just disable the whitelist if able to.
I'm attempting to setup CICD for a GCP Cloud Function and App-Engine deployment. The repo is in Bitbucket and I am following the instructions found here to create a mirror between my Bitbucket repo and a GCP Cloud Source repo.
Using the GCP Cloud Source "Connect external repository" UI I am able to select my GCP project, select Bitbucket as the Git provider, connect to Bitbucket using my credentials (I am admin on the Bitbucket repo), and select the desired Bitbucket repo. Then when I click the "Connect selected repository" I get about a 30s delay and finally a simple "Failed to connect repositories" error message with no further explanation as to why. GCP logging shows nothing.
Any ideas would be appreciated.
Thanks
Ensure that you have enabled the source repos API. Retrospectively I guess this is obvious, because the Bitbucket webhooks need to call out to Google's API to announce when changes occur on the repo.
The GCP API is called Cloud Source Repositories API, and the service name is sourcerepo.googleapis.com
https://console.cloud.google.com/apis/api/sourcerepo.googleapis.com
I have multiple Codebuild projects in an AWS account (which were created by others), with private Github repos as the source, connected via oauth.
I'm creating a new Codebuild project, also looking at a private github repo, however Codebuild fails to create since it "can't access the github repo".
I imagine that whoever in the account originally connected to Github, they don't have access to my the repo I'm trying to connect to.
I'd like to click the "disconnect from Github" and re-authorize, since I have access to the repo I'm trying to connect to, but I'm concerned that will disconnect all Codebuild projects.
I know that my Github credentials don't permit access to all repos that Codebuild projects are currently reading from.
When a connection to Github is made via oauth, does that set it for the entire account?
When a connection to Github is made via oauth, does that set it for the entire account?
Yes it will reset the token for all your CodeBuild projects in that AWS account Id. CodeBuild only supports one token (OAuth or personal access token) per AWS account Id.
We are aware of the limitation this causes on end users and will make this experience better in a future release.