BitBucket Cloud auth

A Concourse server can authenticate against BitBucket Cloud to leverage its permission model.


First, you'll need to create an OAuth consumer on Bitbucket Cloud.

The consumer will need the following permissions:

  • Account:

    • Email

    • Read

  • Team membership:

    • Read

The "Callback URL" must be the URL of your Concourse server with /sky/issuer/callback appended. This address must be reachable by BitBucket Cloud - it can't be localhost.

For example, Concourse's own CI server's callback URL would be:


You will be given a Client ID and a Client Secret for your new application. The client ID and secret must then be configured on the web node by setting the following env:



BitBucket users and teams can be authorized for a team by passing the following flags to fly set-team:


Authorize an individual user.


Authorize an entire organization's members.

For example:

$ fly set-team -n my-team \
    --bitbucket-cloud-user my-bitbucket-login \
    --bitbucket-cloud-team my-bitbucket-team

...or via --config for setting user roles:

- name: member
    users: ["my-bitbucket-login"]
    teams: ["my-bitbucket-team"]

Configuring main Team Authorization

BitBucket users and teams can be added to the main team authorization config by setting the following env on the web node:


Multiple teams and users may be specified by comma-separating them.