Console
    Start free

    Connect to a Bitbucket Server host

    This page explains how to connect a Bitbucket Server host to Cloud Build. Connecting to a Bitbucket Server host integrates your Bitbucket Server repositories with Cloud Build. This way, you can configure build triggers to build repositories from Bitbucket Server and build repositories from Bitbucket Server in a private network .

    Before you begin

    • Enable the Cloud Build, Secret Manager, and Compute Engine APIs.

      Roles required to enable APIs

      To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

      Enable the APIs

    Required IAM permissions

    To get the permissions that you need to connect to your Bitbucket Server host, ask your administrator to grant you the Cloud Build Connection Admin ( roles/cloudbuild.connectionAdmin ) IAM role on your user account. For more information about granting roles, see Manage access to projects, folders, and organizations .

    You might also be able to get the required permissions through custom roles or other predefined roles .

    If your Bitbucket Server instance is hosted in a private network, see Build repositories from Bitbucket Server in a private network to learn about additional IAM roles required to configure a host connection.

    Create personal access tokens

    Before you create a host connection for your Bitbucket Server instance, create personal access tokens in Bitbucket Server by doing the following:

    1. Sign in to your Bitbucket Server instance.

    2. Follow the instructions to create HTTP access tokens for your user account .

      1. Create an access token with the repository adminscope to use for connecting and disconnecting repositories.

      2. Create an access token with the repository readscope to ensure Cloud Build repositories can access source code in repositories.

    3. Save your token values securely. You'll use them to connect to your Bitbucket Server repository.

    Connect to a Bitbucket Server host

    Console

    To connect your Bitbucket Server host to Cloud Build:

    1. Open the Repositoriespage in the Google Cloud console.

      Open the Repositories page

    2. At the top of the page, select the 2nd gentab.

    3. In the project selector in the top bar, select your Google Cloud project.

    4. Click Create host connectionto connect a new host to Cloud Build.

    5. On the left panel, select Bitbucketas your source provider.

    6. In the Configure Connectionsection, enter the following information:

      • Region: Select a region for your connection. You must specify a region. Your connection cannot exist globally.

      • Name: Enter a name for your connection.

    7. In the Host detailssection, select or enter the following information:

      • Bitbucket host: Select Bitbucket Data Center as your host.

      • Host URL: Enter the URL of your host .

    8. Optional: If you want to manage the encryption keys used to encrypt the access tokens for your Bitbucket Server repositories, then go to the Encryptionsection and choose a Cloud Key Management Service key. For more information, see Enable customer-managed encryption keys for Secret Manager .

    9. In the Networkingsection, select one of the following options:

      • Public internet: Select this option if your instance is accessible using the public internet.

      • Private network: Select this option if your instance is hosted on a private network. Then, configure the following:

        1. CA Certificate: Your self-signed certificate. Click Browseto open the certificate from your local machine.

          Your certificate must not exceed 10 KB in size and should be in PEM format ( .pem , .cer ,or .crt ). If you leave this field blank, Cloud Build uses a certificate from the default set of certificates .

        2. Under Service Directory service, selection the location for your service:

          • In project CURRENT_PROJECT
          • In another project
          • Enter manually

        3. Enter the following information:

          • Project: If you selected In another projector Enter manually, then enter or select your Google Cloud project ID from the drop-down menu.

          • Region: This field pre-selects the region of your connection. The region specified for your service must match the region associated with your connection.

          • Namespace: Select the namespace of your service.

          • Service: Select the service name in your namespace.

    10. In the HTTP access tokenssection, enter the following information:

      • Admin access token: Enter the token with the repository adminscope access. This token is used for connecting and disconnecting repositories.

      • Read access token: Enter the token with the repository readscope access. Cloud Build triggers use this token to access source code in repositories.

    11. Click Connect.

      After clicking the Connectbutton, your personal access tokens are securely stored in Secret Manager. After connecting to the Bitbucket Server host, Cloud Build creates a webhook secret on your behalf. You can view and manage your secrets on the Secret Manager page.

    gcloud

    1. Store your tokens in Secret Manager .

    2. Create a webhook secret in Secret Manager by running the following command, where WEBHOOK_SECRET is the name you want to give to your webhook secret:

         
cat  
/proc/sys/kernel/random/uuid  
 | 
  
tr  
-d  
 '\n' 
  
 | 
  
gcloud  
secrets  
create  
 WEBHOOK_SECRET 
  
--data-file = 
-

    3. If you store your secrets in a different Google Cloud project than the one you plan to use to create a host connection, run the following command to grant your project access to the Cloud Build service agent:

        PN 
 = 
 $( 
gcloud  
projects  
describe  
 PROJECT_ID 
  
--format = 
 "value(projectNumber)" 
 ) 
 CLOUD_BUILD_SERVICE_AGENT 
 = 
 "service- 
 ${ 
 PN 
 } 
 @gcp-sa-cloudbuild.iam.gserviceaccount.com" 
gcloud  
projects  
add-iam-policy-binding  
 PROJECT_ID 
  
 \ 
  
--member = 
 "serviceAccount: 
 ${ 
 CLOUD_BUILD_SERVICE_AGENT 
 } 
 " 
  
 \ 
  
--role = 
 "roles/secretmanager.admin"

      Where:

      • PROJECT_ID is your Google Cloud project ID.

    You can now proceed to connect your Bitbucket Server host to Cloud Build.

    1. Run the following command to create a Bitbucket Server connection:

       gcloud  
builds  
connections  
create  
bitbucketserver  
 CONNECTION_NAME 
  
 \ 
  
--host-uri = 
 HOST_URI 
  
 \ 
  
--project = 
 PROJECT_ID 
  
 \ 
  
--region = 
 REGION 
  
 \ 
  
--authorizer-token-secret-version = 
projects/ PROJECT_ID 
/secrets/ ADMIN_TOKEN 
/versions/ SECRET_VERSION 
  
 \ 
  
--read-authorizer-token-secret-version = 
projects/ PROJECT_ID 
/secrets/ READ_TOKEN 
/versions/ SECRET_VERSION 
  
 \ 
  
--webhook-secret-secret-version = 
projects/ PROJECT_ID 
/secrets/ WEBHOOK_SECRET 
/versions/ SECRET_VERSION 
  
 ``` 
Where:
      • CONNECTION_NAME is a name for your Bitbucket Server host connection in Cloud Build.
      • HOST_URI is the URI of your Bitbucket Server instance.
      • PROJECT_ID is your Google Cloud project ID .
      • REGION is the region for your connection.
      • ADMIN_TOKEN is the name of your token with repository adminscope.
      • READ_TOKEN is the name of your token with repository readscope.
      • SECRET_VERSION is the version of your secret.
      • WEBHOOK_SECRET is your webhook secret.

    Terraform

    You can connect your Bitbucket Server host to Cloud Build using Terraform.

    In the following example, the code snippet does the following:

    • Configures the Terraform Google provider.
    • Creates a Secret Manager secret to store the Bitbucket tokens.
    • Grants necessary permissions to the Cloud Build service agent to access secrets.

    • Creates a Bitbucket Server connection.

        // Configure the Terraform Google provider 
 terraform 
  
 { 
  
 required_providers 
  
 { 
  
 google 
  
 = 
  
 {} 
  
 } 
 } 
 provider 
  
 "google" 
  
 { 
  
 project 
  
 = 
  
 " PROJECT_ID 
" 
  
 region 
  
 = 
  
 " REGION 
" 
 } 
 // Create secrets and grant permissions to the Cloud Build service agent 
 resource 
  
 "google_secret_manager_secret" 
  
 "admin-token-secret" 
  
 { 
  
 project 
  
 = 
  
 " PROJECT_ID 
" 
  
 secret_id 
  
 = 
  
 " ADMIN_TOKEN_NAME 
" 
  
 replication 
  
 { 
  
 auto 
  
 {} 
  
 } 
 } 
 resource 
  
 "google_secret_manager_secret_version" 
  
 "admin-token-secret-version" 
  
 { 
  
 secret 
  
 = 
  
 google_secret_manager_secret.admin-token-secret.id 
  
 secret_data 
  
 = 
  
 " ADMIN_TOKEN_VALUE 
" 
 } 
 resource 
  
 "google_secret_manager_secret" 
  
 "read-token-secret" 
  
 { 
  
 project 
  
 = 
  
 " PROJECT_ID 
" 
  
 secret_id 
  
 = 
  
 " READ_TOKEN_NAME 
" 
  
 replication 
  
 { 
  
 auto 
  
 {} 
  
 } 
 } 
 resource 
  
 "google_secret_manager_secret_version" 
  
 "read-token-secret-version" 
  
 { 
  
 secret 
  
 = 
  
 google_secret_manager_secret.read-token-secret.id 
  
 secret_data 
  
 = 
  
 " READ_TOKEN_VALUE 
" 
 } 
 resource 
  
 "google_secret_manager_secret" 
  
 "webhook-secret-secret" 
  
 { 
  
 project 
  
 = 
  
 " PROJECT_ID 
" 
  
 secret_id 
  
 = 
  
 " WEBHOOK_SECRET_NAME 
" 
  
 replication 
  
 { 
  
 auto 
  
 {} 
  
 } 
 } 
 resource 
  
 "google_secret_manager_secret_version" 
  
 "webhook-secret-secret-version" 
  
 { 
  
 secret 
  
 = 
  
 google_secret_manager_secret.webhook-secret-secret.id 
  
 secret_data 
  
 = 
  
 " WEBHOOK_SECRET_VALUE 
" 
 } 
 data 
  
 "google_iam_policy" 
  
 "p4sa-secretAccessor" 
  
 { 
  
 binding 
  
 { 
  
 role 
  
 = 
  
 "roles/secretmanager.secretAccessor" 
  
 members 
  
 = 
  
 [ 
 "serviceAccount:service- PROJECT_NUMBER 
@gcp-sa-cloudbuild.iam.gserviceaccount.com" 
 ] 
  
 } 
 } 
 resource 
  
 "google_secret_manager_secret_iam_policy" 
  
 "policy-pak" 
  
 { 
  
 project 
  
 = 
  
 google_secret_manager_secret.admin-token-secret.project 
  
 secret_id 
  
 = 
  
 google_secret_manager_secret.admin-token-secret.secret_id 
  
 policy_data 
  
 = 
  
 data.google_iam_policy.p4sa-secretAccessor.policy_data 
 } 
 resource 
  
 "google_secret_manager_secret_iam_policy" 
  
 "policy-rpak" 
  
 { 
  
 project 
  
 = 
  
 google_secret_manager_secret.read-token-secret.project 
  
 secret_id 
  
 = 
  
 google_secret_manager_secret.read-token-secret.secret_id 
  
 policy_data 
  
 = 
  
 data.google_iam_policy.p4sa-secretAccessor.policy_data 
 } 
 resource 
  
 "google_secret_manager_secret_iam_policy" 
  
 "policy-whs" 
  
 { 
  
 project 
  
 = 
  
 google_secret_manager_secret.webhook-secret-secret.project 
  
 secret_id 
  
 = 
  
 google_secret_manager_secret.webhook-secret-secret.secret_id 
  
 policy_data 
  
 = 
  
 data.google_iam_policy.p4sa-secretAccessor.policy_data 
 } 
 // Create the connection resource 
 resource 
  
 "google_cloudbuildv2_connection" 
  
 "my-connection" 
  
 { 
  
 project 
  
 = 
  
 " PROJECT_ID 
" 
  
 location 
  
 = 
  
 " REGION 
" 
  
 name 
  
 = 
  
 " CONNECTION_NAME 
" 
  
 bitbucket_server_config 
  
 { 
  
 host_uri 
  
 = 
  
 " BITBUCKET_URI 
" 
  
 authorizer_credential 
  
 { 
  
 user_token_secret_version 
  
 = 
  
 google_secret_manager_secret_version.admin-token-secret-version.id 
  
 } 
  
 read_authorizer_credential 
  
 { 
  
 user_token_secret_version 
  
 = 
  
 google_secret_manager_secret_version.read-token-secret-version.id 
  
 } 
  
 webhook_secret_secret_version 
  
 = 
  
 google_secret_manager_secret_version.webhook-secret-secret-version.id 
  
 } 
  
 depends_on 
  
 = 
  
 [ 
  
 google_secret_manager_secret_iam_policy.policy-pak 
 , 
  
 google_secret_manager_secret_iam_policy.policy-rpak 
 , 
  
 google_secret_manager_secret_iam_policy.policy-whs 
  
 ] 
 }

    Where:

    • PROJECT_ID is your Google Cloud project ID .
    • PROJECT_NUMBER is your Google Cloud project number.
    • ADMIN_TOKEN_NAME is the name of your token with repository:admin scope.
    • ADMIN_TOKEN_VALUE is the value of your ADMIN_TOKEN_NAME .
    • READ_TOKEN_NAME is the name of your token with repository:read scope.
    • READ_TOKEN_VALUE is the value of your READ_TOKEN_NAME .
    • WEBHOOK_SECRET_NAME is the name of your webhook secret.
    • WEBHOOK_SECRET_VALUE is the value of your WEBHOOK_SECRET_NAME .
    • REGION is the region for your connection.
    • CONNECTION_NAME is a name for your Bitbucket Server host connection in Cloud Build.
    • BITBUCKET_URI is the URI of your Bitbucket Data Center instance.

    What's next
    Create a Mobile Website
    View Site in Mobile | Classic
    Share by: