Identity Federation for AWS 2.9 Release Notes

09 November 2017

The Utoolity team is pleased to present Identity Federation for AWS 2.9 – this release adds support for Bitbucket, and allows to disable the implicit connector visibility for administrators (experimental).

If you are using Bamboo remote agents, please review the Identity Federation for AWS 2.9 Upgrade Notes for important information about this release.

Highlights

Use Identity Federation for AWS in Bitbucket

You can now use Identity Federation for AWS in Bitbucket to gain the following benefits:

  • Federated AWS access for Atlassian users – Add long-term AWS security credentials (IAM users) once, configure AWS access for Atlassian groups and Bitbucket apps with temporary credentials and fine grained permissions via IAM Policies thereafter (Identity Broker)

  • Single sign-on (SSO) to the AWS Management Console – Grant your team SSO access to AWS accounts via the AWS Management Console Login menu

  • REST API for temporary AWS security credentials – GET temporary AWS security credentials for Bitbucket apps via the REST API (Token Vendor)

Cross Product Support

Identity Federation for AWS aims to be a cross product solution and currently supports Jira, Confluence, Bitbucket, and Bamboo (see the Identity Federation for AWS Compatibility Notes for details) - please don't hesitate to get in touch, if you are interested in support for other Atlassian products, we are eager to learn more about your use case and adjusting our respective roadmap accordingly.

  • (info) The Confluence and Bitbucket editions of Identity Federation for AWS have been retired for technical reasons – learn about alternatives.



Disable implicit connector visibility for administrators (experimental)

You can now disable the implicit connector visibility for administrators via a labs feature flag:

By default, administrators can always edit, see and use all connectors, whereas visibility and usage of connectors in the 'AWS Resources' menu, the connector selection widget, and via the REST API is scoped to the selected groups for all non administrators to allow the delegation of temporary AWS credentials retrieval.

While this behavior properly reflects the security barriers in the Atlassian Server universe (where administrators are generally able to get access to all data one way or another), it turns out to be a usability flaw for scenarios where many users have been granted administrative rights to overcome insufficient permission granularity in the host product (e.g. Bamboo before the permission changes introduced in release 6.2) - as a preliminary workaround, this feature flag allows to change the default behavior as follows:

  • by default, members of the administrator group (e.g. bamboo-admin) will not be able to see and use any connectors via the REST API or dependent resources like the 'AWS Resources' menu and the connector selection widgets anymore, except if explicitly being granted access by including the resp. group within the Groups selection 

  • regardless, members of the administrator group (e.g. bamboo-admin) will still be able to edit all connectors via the configuration screen

No security barrier

This change mostly comprises a usability improvement, but not an impenetrable security barrier, because administrators can still grant themselves access to connectors at any time simply by adjusting the connector to group associations or their own group membership etc.!


Resolved issues

Release 2.9.3

2018-06-27

This release addresses the following issues:

Core

  • Improvements

    • IFAWS-938 – Improve core vs. quickstart CloudFormation template onboarding UX

Confluence

  • Improvements

    • IFAWS-936 – Mark app as compatible with Confluence read-only mode

Release 2.9.2

2018-04-10

This release addresses the following issues:

Core

  • Improvements

    • IFAWS-906 – Add support for extended IAM role session duration

Bamboo

  • Bugs

    • IFAWS-847 – Add missing connector variables to AWS Credentials Variables task inline help

    • IFAWS-907 – Add missing connector JSON variable to AWS Credentials Variables task

    • IFAWS-908 – Fix PowerShell environment variable references in AWS Credentials Variables task inline help

    • IFAWS-935 – Fix PowerShell environment variable references in Amazon ECR Credentials Variables task inline help

Release 2.9.1

2018-01-18

This release addresses the following issues:

Core

  • Improvements

    • IFAWS-855 – Surface support for additional ECR regions ap-south-1 and sa-east-1

    • IFAWS-856 – Rename EC2 Container Service to Elastic Container Service

    • IFAWS-857 – Surface new AWS region China (Ningxia) / cn-northwest-1

    • IFAWS-858 – Surface new AWS region EU (Paris) / eu-west-3

Release 2.9.0

2017-11-09

This release addresses the following issues:

Core

  • Improvements

    • IFAWS-811 – Surface support for additional ECR region ap-northeast-2

    • IFAWS-821 – Add option to disable implicit connector visibility for administrators

    • IFAWS-854 – Surface support for additional ECR region cn-north-1

Bitbucket

  • Stories

    • IFAWS-32 – As a user, I want federated AWS access in Bitbucket Server

Jira

  • Tasks

    • IFAWS-567 – Drop support for Jira 7.0

Atlassian®, Atlassian Bamboo®, Bitbucket®, Atlassian Crowd®, Confluence®, Jira®, Jira Service Management™, Opsgenie®, and Statuspage™ are registered trademarks of Atlassian.
Amazon Web Services™, AWS™ and the “Powered by Amazon Web Services” logo are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

Utoolity® is a registered trademark of Utoolity GmbH.
© 2024 Utoolity GmbH. All rights reserved.