-
Suggestion
-
Resolution: Unresolved
-
None
-
OnDemand & Server
-
5
-
45
-
Currently Elastic Bamboo requires you give it your account level credentials to run properly. This isn't really acceptable in many environments and we should be able to use IAM to create a bamboo user with restricted permission (i.e. bamboo doesn't need permissions to create a new VPC, or delete non-bamboo instances).
To me this is a major security problem. The response so far from support was this:
"After confirming with the Bamboo seniors, I can say that the Bamboo user does need full access to the account. We also recommend that a dedicated account be created for Bamboo to ensure that, should Bamboo "go sideways," any damage is restricted only to the Bamboo user's account."
Running a dedicated account just for bamboo isn't horribly practical if you have other resources the builds depend on, especially in a VPC environment.
- mentioned in
-
Page Failed to load
-
Page
Failed to load
-
Page
Failed to load
-
Page
Failed to load
-
Page
Failed to load
- relates to
-
BDEV-10295 Loading...
-
- was cloned as
-
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[BAM-11932] Bamboo requires full permissions to EC2
I strongly support for the IAM Role policy to be used instead of Access keys/Secret Keys
It's been over 7 years and we still don't have a set of permissions that Bamboo needs? How, just how.
Hi everyone,
Thanks for your interest in this issue.
This request is considered a potential addition to our longer-term roadmap.
We'll typically review this request in about 6 months time, at which point we’ll consider whether we need to alter its status.
For the nearest future we've decided to prioritise other areas of the Bamboo roadmap, including:
- Robustness of Plan Branches
- Performance and stability improvements
- Providing building blocks for High Availability and Disaster Recovery solutions
- Improving permission system
- Allowing per-project allocation of resources
- Improving Bitbucket Server and Jira integrations
You can learn more about our approach to highly voted server suggestions here.
To learn more on how your suggestions are reviewed, see our updated workflow for server feature suggestions.
Kind regards,
Bamboo Team
I believe it probably is. I don't think there's much interest in resolving this issue since it's almost 7 years old...
You would think they would at least have the guts to say "we won't do this".
Maciej Malek
added a comment - +1
Please add support for EC2 IAM Role / Instance Profile based permissions for Bamboo.
AWS do not recommend to use IAM Users with Key/Secret in production environments - everything should be based on IAM Roles and federated access.
Lack of this feature is a showstopper for adoption of Bamboo.
Maciej Malek
added a comment - +1
Please add support for EC2 IAM Role / Instance Profile based permissions for Bamboo.
AWS do not recommend to use IAM Users with Key/Secret in production environments - everything should be based on IAM Roles and federated access.
Lack of this feature is a showstopper for adoption of Bamboo. The lack of proper support for EC2 is almost a show-stopper for us.
I'm thinking we may need to junk Bamboo in favor of Jenkins.
Maybe that's really what Atlassian wants anyway.
https://jira.atlassian.com/browse/BAM-11932?focusedCommentId=2310432&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-2310432
This is absolutely correct. If the Bamboo server is running in AWS you should be able to use instance profiles which is not an option now.