/
APIs, Scripts, and Bots: Policy for Cloud Environment

APIs, Scripts, and Bots: Policy for Cloud Environment

Audience

All users of Red Hat Atlassian Cloud, but most of the functionality described herein is limited to Red Hat employees.

Purpose

The purpose of this document is to define what is permitted in regard to:

  • Creating scripts against Red Hat Atlassian Cloud products

  • Accessing data using the API 

Scope

This policy applies to all users that need access to scripting functionality or APIs within Red Hat Atlassian Cloud. 

Background Context

The legacy method of creating bot accounts in DC is to great a separate account in SSO, login via basic authentication, get through the 2FA flow, and finally create Personal Access Tokens (PATs) for the account. The associate email of the account is often a google group email so it can be jointly maintained. This approach to service accounts will continue in Atlassian Cloud.

Recently, Atlassian introduced service accounts as a first class type of account. They have some limitations though:

  1. Only scoped tokens can be provisioned for them. Scoped tokens are also a relatively new feature; most Python libraries for Jira do not support them and notably neither does the Forge CLI.

  2. 2FA is a non-starter for them because there is no email address that associates will have access to. A user cannot receive the OTP to enter. This can be worked around with a dedicated authentication policy that does not require 2FA.

At this time, there is not a plan to replace our legacy method with these service accounts. As the feature set and support improves, the maintenance team may reevaluate.

Policy Statement

  • Personal experimentation activities using the Atlassian ReST APIs may use API tokens provisioned in a user's account.

  • Team-supporting integrations using an Atlassian ReST API must have a bot user instead of a personal token. All bots should be registered with the PME team. See Requesting a bot/service account. See also: Managing API Tokens

  • Users should provide more than one responsible party for the bot account and use a dedicated and shared email. Any bots associated with personal aliases are subject to removal if the responsible employee or contractor leaves Red Hat without transferring ownership of the bot before departure. 

  • Bot users are only allowed to be used to run scripts and affiliated tasks with those scripts, such as assignments. Bot users are not allowed to own board filters or dashboards. 

  • Be aware of Atlassian Cloud rate limits and look out for 429 errors, which indicates rate limiting and/or throttling. Resource-hungry integrations may be dealt with severely and without warning.

Policy Compliance

Compliance Measurement

Compliance with this policy is mandatory. 

Non-compliance & Exceptions

  • Any user who has not registered their bot with the PME team may have access to the bot terminated at any time without notice.