Console
    Contact Us Start free

    Connect Jira Cloud

    This page describes how to connect Jira Cloud to Agentspace.

    After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

    Supported versions

    The Jira Cloud connector supports version 2 of the JIRA Cloud REST API.

    Before you begin

    Before you set up your connection, do the following:

    • Verify that you have Jira organization administrator access to the Jira instance and project. With the organization administrator access, you can set up minimum permissions and provide access privileges to user groups. For information about how to verify Jira organization administrator access, see Verify Jira organization administrator access .

    • (Optional) To retrieve user email addresses from Jira Cloud, even when settings restrict email visibility, install the User Identity Accessor for Jira Cloud app. You must be a Jira Site administrator to install and configure this app. After you install the app, configure it to securely retrieve user email addresses. You might not need to install this app if email addresses are already publicly accessible.

    • To enforce data source access control and secure data in Agentspace, ensure that you have configured your identity provider .

    • To enable OAuth 2.0 and obtain the client ID and secret, see OAuth 2.0 (3LO) apps in the Atlassian developer documentation.

    Verify Jira organization administrator access

    1. Login to Atlassian with your user credentials.

    2. Select the Jiraapp.

      Atlassian home page
      Atlassian home page

    3. Click Settings.

      If you see the Systemoption under Jira settings, you have Jira organization administrator access. Otherwise, request your Jira organization administrator to provide access.

      Settings
      Settings

    Create an OAuth 2.0 integration

    1. Sign in to the Atlassian Developer Console .

    2. Click the profile icon and select Developer console.

      Select developer console
      Select Developer console

    3. Click Createand select OAuth 2.0 Integration.

      Select OAuth 2.0 Integration
      Select OAuth 2.0 Integration

    4. Enter a name for the app.

    5. Select the checkbox to agree to Atlassian's developer terms.

    6. Click Create.

      Create OAuth 2.0
      Create a new OAuth 2.0 Integration

    7. Click Authorization.

    8. In the Authorization typetable, select Addfor OAuth 2.0 (3LO).

      select-add
      Add authorization type

    9. In the Callback URLfield, enter https://vertexaisearch.cloud.google.com/console/oauth/jira_oauth.html .

    10. Click Save changes.

      Save changes
      Save changes

    Configure the minimum permissions required for the application

    1. On the application page, click Permissions.

      Select permissions
      Select Permissions

    2. Go to Jira APIand click Add.

    3. Click Configure.

    4. Go to the Classic scopestab.

    5. Click Edit scopesand select the following permissions:

      • read:jira-user
      • read:jira-work

      Edit classic scopes
      Edit Classic scopes

    6. Confirm that the two scopes are selected, and then save your changes.

    7. Go to the Granular scopestab.

    8. Click Edit scopesand select the following permissions:

      • read:issue-security-level:jira
      • read:issue-security-scheme:jira
      • read:group:jira
      • read:user:jira
      • read:avatar:jira
      • read:audit-log:jira

      Edit granular scopes
      Edit Granular scopes

    Minimum permissions

    The following tables list the minimum permissions required to create a Jira Cloud connector.

    Classic scopes

    Permission Usage reason Description
    read:jira-work
    		 Data ingestion Allows the connector to read details of entities (including issues, attachments, comments, and properties).
    read:jira-user
    		 Enforce Access Control Lists (ACLs) Allows the connector to read user and group details.

    Granular scopes

    Permission Usage reason Description
    read:issue-security-level:jira
    		 Enforce ACLs Enables enforcement of ACLs for issues based on their specific issue security levels.
    read:issue-security-scheme:jira
    		 Enforce ACLs Enables enforcement of ACLs for issues based on their associated issue security schemes.
    read:group:jira
    		 Enforce ACLs Allows the connector to read group information in order to enforce ACLs related to group memberships.
    read:user:jira
    		 Enforce ACLs Allows the connector to read user information in order to enforce ACLs related to individual user permissions.
    read:avatar:jira
    		 Enforce ACLs Allows the connector to read user and group information to enforce ACLs. Avatar is not used, but is part of the granular scopes that are bundled with groups and users.
    read:audit-log:jira
    		 Monitor ACLs Allows the connector to read Jira's audit log for ACL verification and monitoring.

    Obtain a client ID and client secret

    1. Click Distributionand select Edit.
    2. Select Sharingto enable editing other fields.
    3. Fill out the remaining fields:
      1. For Vendor, enter Google .
      2. For Privacy policy, enter https://policies.google.com .
      3. For Does your app store personal data?, select Yes.
      4. Select I confirm that I've implemented the personal data reporting APIcheckbox. For more information, see Personal data reporting API .
        Edit distribution
        Edit Distribution

    4. Click Save changes.

    5. Click Settingsto copy your Client IDand Client secret.

      Copy client ID and client secret
      Copy your client ID and client secret

    Obtain an instance ID and instance URL

    1. Obtain the instance ID:

      1. Open a new tab, copy the instance URL, and append /_edge/tenant_info to the instance URL. For example, https:// YOUR_INSTANCE .atlassian.net/_edge/tenant_info .

      2. Navigate to the link to find the cloudId value. The cloudId is your instance ID.

        select
        Obtain your instance ID

    2. Obtain the instance URL:

      1. Go to atlassian.net and sign in with your administrator account.
      2. Select the app you want to sync. For example, sync the first app.
      3. Find the instance URL (the subdomain in the address bar).

    Grant administrator roles

    To grant the Jira administrator the Discovery Engine Editor role in the Google Cloud console, do the following:

    1. In the Google Cloud console, go to the Agentspacepage.

    2. Navigate to IAM.

      Go to IAM

    3. Locate the user account which has administrator access in Jira and click the Editicon .

    4. Grant the Discovery Engine Editor role to the administrator .

    To grant a user an administrator role in Atlassian, do the following:

    1. Sign in to Atlassian using an organization administrator account.

    2. Click the menu icon and select your organization. Alternatively, you can go to admin.atlassian.com .

    3. On the Adminpage, click the product and select the Manage usersbutton.

      manage-users
      Manage users

    4. Click Groupsunder User management.

    5. On the Groupspage:

      1. Click Create group.
      2. Enter a name for the group.

      create-group
      Create group

    This group receives permissions required by the connector. Users added to this group inherit these permissions.The connector uses this group to authenticate and fetch documents.

    1. On the group page, click Add product.

    2. Select User access adminas the role for Jira.

    3. Select Product adminas the role for Jira administration.

      jira-user-access-admin
      Jira user access administrator

    4. Click Grant Access.

    5. Click Add group membersto add a user account or group members that the connector uses to authenticate and access the required resources.

      add-group-members
      Add group members

    Manage user visibility

    To make the user's email visible to anyone in the Atlassian account, follow these steps:

    1. Sign in to the Atlassian Developer Console .

    2. Click the profile icon and select Developer console.

    3. Click the user profile icon and select Manage account.

      manage-account
      Manage account

    4. Navigate to the Profile and visibility.

      profile-visibility
      Profile and visibility

    5. Go to Contactand set the Who can see thisas Anyone.

      contact
      Contact

    To make the user's email visible to anyone in the Jira, follow these steps:

    1. Sign in to Atlassian with your user credentials.

    2. Select a Jira app.

    3. Click Settings> System.

    4. Select General Configurationin the left pane.

    5. Click Edit Settings.

    6. For User email visibility, select Public.

      select email visibility
      Select email visibility

    7. Click Update.

    Install and configure User Identity Accessor for Jira Cloud

    If user email addresses aren't publicly accessible by default due to privacy settings in Jira Cloud, you must install the User Identity Accessor for Jira Cloudapp to securely retrieve user email addresses. If user email addresses are already publicly visible, you might not need to install the app. For more information about restricted email visibility, see Manage user visibility .

    Roles and permissions

    To install and configure the User Identity Accessor for Jira Cloudapp, you must have the appropriate administrative role and grant the required app-level permissions.

    • Required role: You must be a Jira Site administrator to install and configure the app.
    • App-level permissions: You must grant the following permissions during the app installation:
      • Read Email Address : Allows the app to securely retrieve user email addresses, even when profile visibility is restricted.
      • App Storage scope : Enables the app to read and write to its storage device.

    Install User Identity Accessor for Jira Cloud

    To install the User Identity Accessor for Jira Cloudapp on your Jira Cloud site, follow these steps:

    1. Navigate to Atlassian Developer Console .

    2. Review the Read Email Addressand App Storage scopepermissions and click Get app.

      configure-uia-button-jira
      Review permissions and get app

    3. From the Select a site to install this app onlist, select the Jira site where you want to install the app. This list displays only the sites for which you have administrator access.

      Note:You must be an administrator of at least one Jira site to install the app.

    4. Click Installto complete the app installation.

    Configure User Identity Accessor for Jira Cloud

    After you've installed the User Identity Accessor for Jira Cloudapp, configure an API key that your external system (for example, your Jira Cloud Connector) uses to securely call the app's web trigger to fetch emails.

    Access the configuration page

    To access the User Identity Accessor for Jira Cloudapp's configuration page, follow these steps:

    1. In your Jira Cloud instance, click the Settings⚙️ icon in the navigation menu.
    2. Select Appsfrom the menu.
    3. On the Apps administrationpage, locate your app, User Identity Accessor for Jira Cloud, in the Manage appslist.

    4. Click Configureor the link associated with your app. The app's dedicated configuration page opens within Jira Cloud.

      configure-uia-button-jira
      Configure the User Identity Accessor for Jira Cloud app

    Set up the API key

    To set up the API key on the configuration page, follow these steps:

    1. In the API Key Configurationsection, specify the secret key for authenticating requests to the app's webtrigger. You can authenticate requests using either of the following methods:

      • Enter your own key: Type or paste your own strong, unique API key into the API Key field. Use a key of at least 20–30 characters with a mix of uppercase letters, lowercase letters, numbers, and symbols.

        save-key
        Enter your own key

      • Generate a key: Click the Generate New Keybutton. The system generates and displays a strong, random key in the field.

        generate-key
        Generate a key

        Important: Immediately copy the API key displayed in the field. For security reasons, you might be unable to view the full key again after saving or navigating away. If lost, you need to set or generate a new one.

    2. Click Save API Key. A success message confirms that the key is securely saved.

    Test the app configuration

    Verify if the User Identity Accessor for Jira Cloudapp is configured correctly by sending a request from your external system and confirming that user email addresses are returned successfully.

    Get the webtrigger URL
    1. On the Apps administrationpage, locate the Webtrigger URLsection, which displays the unique URL specific to your Jira site and this app installation:
      • Your external system must call this URL to request user emails.
      • The URL typically looks like: http://uuid/domain.net/x1/randomId . For example, https:// YOUR_INSTANCE_ID .hello.atlassian-dev.net/x1/ WEBTRIGGER_ID , where YOUR_INSTANCE_ID is your Jira Cloud instance identifier and WEBTRIGGER_ID is the unique identifier for the webtrigger endpoint generated for your app.
    2. Click the Copy URLbutton or copy the entire URL.
    Configure your external system

    • Configure your external system that needs to fetch Jira user emails with the API key and webtrigger URL obtained in the previous steps.

    • Endpoint URL: The webtrigger URL you copied.

    • HTTP Method: POST

    • Required Headers:

      • Content-Type: application/json

      • X-Api-Key: YOUR_API_KEY

        Replace YOUR_API_KEY with the API key you set or generated in the Set up the API key section.

    Example curl command

    This example demonstrates calling the User Identity Accessor for Jira Cloudwebtrigger, which accepts an array of account IDs and returns the email addresses.

     curl  
--location  
--request  
POST  
 'https:// YOUR_INSTANCE_ID 
.hello.atlassian-dev.net/x1/ ENDPOINT_PATH 
' 
  
 \ 
--header  
 'X-Api-Key: YOUR-API-KEY 
' 
  
 \ 
--header  
 'Content-Type: application/json' 
  
 \ 
--data-raw  
 '{ 
 "accountIds": [ 
 " ACCOUNT_ID_1 
", 
 " ACCOUNT_ID_2 
" 
 ] 
 }'

    Replace:

    • YOUR_INSTANCE_ID with your Jira Cloud instance ID
    • ENDPOINT_PATH with the API endpoint path
    • YOUR_API_KEY with the API key you set or generated in the Set up the API key section
    • ACCOUNT_ID with Atlassian account IDs you want to target
    Expected response
      [{ 
 "accountId" 
 : 
 " ACCOUNT_ID_1 
" 
 , 
 "emailAddress" 
 : 
 " EMAIL_ADDRESS_1 
" 
 }, 
  
 { 
 "accountId" 
 : 
 " ACCOUNT_ID_2 
" 
 , 
 "emailAddress" 
 : 
 " EMAIL_ADDRESS_2 
" 
 }]

    Replace:

    • ACCOUNT_ID_X with actual Atlassian account IDs
    • USER_EMAIL_X with user email addresses returned from your API call

    Implement security best practices

    To confirm the security of your API key, follow these recommendations:

    • Store the API key securely within your Jira Cloud Connector's configuration.
    • Verify that all communication with the webhook URL occurs over HTTPS. This is the default for User Identity Accessor for Jira Cloudwebtriggers.

    Support for User Identity Accessor for Jira Cloud

    Support offerings are available from Google for the User Identity Accessor for Jira Cloudapp that can include maintenance and regular updates to keep the app up-to-date. If you encounter any issues or have questions specific to the app functionality, contact Google Cloud Support . For more information, see Getting Cloud Customer Care .

    Create a Jira Cloud data store

    Console

    To use the Google Cloud console to sync data from Jira Cloud to Agentspace, follow these steps:

    1. Sign in to the Atlassian site as a user with organization administrator credentials.

    2. In the Google Cloud console, go to the Agentspacepage.

      Agentspace

    3. In the navigation menu, click Data Stores.

    4. Click Create data store.

    5. On the Select a data sourcepage, scroll or search for Jira Cloudto connect your third-party source and click Select.

    6. In the Authentication settingssection, enter the Instance URI, Instance ID, Client ID, and Client secret.

    7. Click Login.

    8. Verify that you are logged in as an adminuser, select the site on which the app will be used, and click Accept.

      Choose site
      Choose a site on which to use the app

    9. Click Continue.

    10. In the Advanced optionssection:

      • Optional. To allow a set of static IP addresses in your system, select Enable Static IP Addressesfor registration.

      • In the Max QPSfield, enter an integer to define the maximum queries per second to be sent to your Jira Cloud instance. The default value is 12 QPS.

      • In the Jira Identity Sync Forge URLfield, enter the URL generated by the User Identity Accessor for Jira Cloudapp.

      • In the Jira Identity Sync Forge Client Secretfield, enter the client secret configured in the User Identity Accessor for Jira Cloud, which is the API key you generated or created in the Set up the API key section.

      • Click Continue.

    11. In the Entities to syncsection, select the entities you want to sync from the following:

      • Issue

      • Attachment

      • Comment

      • Worklog

    12. To filter entities out of the index or ensure that they are included in the index, click Filter.

      Specify filters to include or exclude entities
      Specify filters to include or exclude entities.

    13. Click Save.

    14. Click Continue.

    15. Select the Sync frequencyfor Full syncand the Incremental sync frequencyfor Incremental data sync. For more information, see Sync schedules .

      If you want to schedule separate full syncs of entity and identity data, expand the menu under Full sync and then select Custom options .

      Custom options for full data sync.
      Setting separate schedules for full entity sync and full identity sync.

    16. Click Continue.

    17. In the Configure your data connectorsection:

      1. Select a region for your data store. You cannot change the region later. For more information on multi-regions, see AI Applications locations .

      2. Enter a name for your data connector. You can change the name later.

      3. Optional. To change the data connector ID after entering the name, click Editand change the value. You cannot change the data connector ID after creating the data store.

      4. Click Create. Agentspace creates your data store and displays it on the Data Storespage.

    To check the status of your ingestion, go to the Data storespage and click your data store name to see details about it on its Datapage. The Connector statechanges from Creatingto Runningwhen it starts synchronizing data. When ingestion is complete, the state changes to Activeto indicate that the connection to your data source is set up and awaiting the next scheduled synchronization. Depending on the size of your data, ingestion can take several minutes or several hours.

    For detailed information on quotas, including default limits and instructions to request higher quotas, see the Quotas and limits .

    Error messages

    The following table describes the common error messages, their descriptions, and possible solutions when connecting Jira Cloud with Agentspace.

    Error code
    Error message
    Description
    Troubleshooting
    JIRA_INVALID_AUTH_1
    OAuth setup failed.
    A token refresh call encountered a problem, possibly related to credentials, the secret manager, or connectivity.
    Exception details are provided in the full error message. Possible causes and solutions include:
    • Connectivity issues: These generally resolve through internal retries.
    • Invalid credentials: Verify or correct the credentials.
    JIRA_INVALID_AUTH_2
    Authentication failed.
    The connector cannot authenticate with Jira Cloud because the user account lacks sufficient API access.
    Re-authenticate the datastore using administrator credentials.
    JIRA_MISSING_PERMISSION_1
    Non-admin users are not authorized to get the issue security schemes.
    A user account without administrator privileges attempted to retrieve the issue security schemes.
    Grant the necessary administrator permissions to the user account.
    JIRA_MISSING_PERMISSION_2
    Non-admin users cannot get permission schemes.
    A user account without administrator privileges attempted to retrieve permission schemes.
    Grant the necessary administrator permissions to the user account.
    JIRA_MISSING_PERMISSION_3
    Problem while fetching project permissions.
    A user account without administrator privileges attempted to retrieve project details.
    Grant the necessary administrator permissions to the user account.
    JIRA_IO_CONNECTION
    Problem while connecting to Jira.
    The connector fails to connect to your Jira Cloud instance, indicating a general inability to establish or maintain communication with the Jira server.
    Verify your Jira URL and cross check your authentication credentials. Verify your Jira instance is operational and your API token or OAuth scopes grant the necessary permissions.
    JIRA_INVALID_INSTANCE_ID
    Failed to fetch the required details from your Jira instance. Please check your Jira Instance ID. The Jira Instance ID must be a UUID.
    The system fails to retrieve necessary details from your Jira instance because the provided Jira Cloud instance ID is invalid. The Jira Instance ID must be a UUID.
    Ensure the instance ID you entered is a correct UUID.

    Known limitations

    • For unstructured data, each media type has different restrictions. For more information, see Prepare data for custom data sources .

    • For structured data, each document must not exceed 500 KB in size.

    • Application roles with specific, non-empty roles cannot be granted Browse project or security level permissions.

    • Document permissions determined by user custom fields or group custom fields are not supported.

    • Jira Cloud does not allow any restrictions on worklog levels.

    • Attachments added to private comments don't inherit the access restrictions (ACLs) on the comments.

    • Only the previous 20 comments for an issue in Jira Cloud are fetched.

    • Sprint tables can't be ingested.

    • The legacy user management model is not supported for integration with Jira Cloud. Only the centralized user management model is supported. For more information, see Atlassian Organization consolidation guide .

    Next steps
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: