Versions Compared

Old Version 24

changes.mady.by.user Jana Lehmann [Utoolity]

Saved on

compared with

New Version Current

changes.mady.by.user Steffen Opel [Utoolity]

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Excerpt

09 November 2017

The Utoolity team is pleased to present Identity Federation for AWS 2.9 – this release adds support for Bitbucket, and allows to disable the implicit connector visibility for administrators (experimental).

Info

(info) If you are using Bamboo remote agents, please review the Identity Federation for AWS 2.9 Upgrade Notes for important information about this release.

Learn more and try it for free in:

On this page:

Table of Contents
maxLevel3

Highlights

Panel
borderColor#F3F3F3
bgColor#FAFAFA
borderWidth1

Use Identity Federation for AWS in Bitbucket

You can now use Identity Federation for AWS in Bitbucket to gain the following benefits:

  • Federated AWS access for Atlassian users – Add long-term AWS security credentials (IAM users) once, configure AWS access for Atlassian groups and Bitbucket apps with temporary credentials and fine grained permissions via IAM Policies thereafter (Identity Broker)

  • Single sign-on (SSO) to the AWS Management Console – Grant your team SSO access to AWS accounts via the AWS Management Console Login menu

  • REST API for temporary AWS security credentials – GET temporary AWS security credentials for Bitbucket apps via the REST API (Token Vendor)

Include Page
_CrossProductSupportNote
_CrossProductSupportNote


Panel
borderColor#F3F3F3
bgColor#FFFFFF

Disable implicit connector visibility for administrators (experimental)

You can now disable the implicit connector visibility for administrators via a labs feature flag:

By default, administrators can always edit, see and use all connectors, whereas visibility and usage of connectors in the 'AWS Resources' menu, the connector selection widget, and via the REST API is scoped to the selected groups for all non administrators to allow the delegation of temporary AWS credentials retrieval.

While this behavior properly reflects the security barriers in the Atlassian Server universe (where administrators are generally able to get access to all data one way or another), it turns out to be a usability flaw for scenarios where many users have been granted administrative rights to overcome insufficient permission granularity in the host product (e.g. Bamboo before the permission changes introduced in release 6.2) - as a preliminary workaround, this feature flag allows to change the default behavior as follows:

  • by default, members of the administrator group (e.g. bamboo-admin) will not be able to see and use any connectors via the REST API or dependent resources like the 'AWS Resources' menu and the connector selection widgets anymore, except if explicitly being granted access by including the resp. group within the Groups selection 

  • regardless, members of the administrator group (e.g. bamboo-admin) will still be able to edit all connectors via the configuration screen

Note

No security barrier

This change mostly comprises a usability improvement, but not an impenetrable security barrier, because administrators can still grant themselves access to connectors at any time simply by adjusting the connector to group associations or their own group membership etc.!


Resolved issues

Release 2.9.3

2018-06-27

This release addresses the following issues:

Core

  • Improvements

    • IFAWS-938 – Improve core vs. quickstart CloudFormation template onboarding UX

Confluence

  • Improvements

    • IFAWS-936 – Mark app as compatible with Confluence read-only mode

Release 2.9.2

2018-04-10

This release addresses the following issues:

Core

  • Improvements

    • IFAWS-906 – Add support for extended IAM role session duration

Bamboo

  • Bugs

    • IFAWS-847 – Add missing connector variables to AWS Credentials Variables task inline help

    • IFAWS-907 – Add missing connector JSON variable to AWS Credentials Variables task

    • IFAWS-908 – Fix PowerShell environment variable references in AWS Credentials Variables task inline help

    • IFAWS-935 – Fix PowerShell environment variable references in Amazon ECR Credentials Variables task inline help

Release 2.9.1

2018-01-18

This release addresses the following issues:

Core

  • Improvements

    • IFAWS-855 – Surface support for additional ECR regions ap-south-1 and sa-east-1

    • IFAWS-856 – Rename EC2 Container Service to Elastic Container Service

    • IFAWS-857 – Surface new AWS region China (Ningxia) / cn-northwest-1

    • IFAWS-858 – Surface new AWS region EU (Paris) / eu-west-3

Release 2.9.0

2017-11-09

This release addresses the following issues:

Core

  • Improvements

    • IFAWS-811 – Surface support for additional ECR region ap-northeast-2

    • IFAWS-821 – Add option to disable implicit connector visibility for administrators

    • IFAWS-854 – Surface support for additional ECR region cn-north-1

Bitbucket

  • Stories

    • IFAWS-32 – As a user, I want federated AWS access in Bitbucket Server

Jira

  • Tasks

    • IFAWS-567 – Drop support for Jira 7.0