# Atlassian Cloud Products ### Overview This integration enables a connection between Veza and an Atlassian Cloud tenant to discover the following services: * Atlassian Cloud Admin * Bitbucket * Jira Cloud * Confluence Cloud The integration includes cross-service connections to show relationships between IdP identities, Cloud Admin users and groups, and the local BitBucket, Confluence, or Jira accounts that those users can assume. This integration deprecates the original OAA connectors for BitBucket Cloud, Jira, and Confluence. You can now enable these products when configuring the Atlassian Cloud integration, and safely remove the original integrations. You should disable any integration secrets or service accounts that are no longer in use. ### Configuring Atlassian Cloud Two sets of credentials are required to enable the integration: * An admin API key, used to connect to the Cloud Admin API. See [Manage an Organization With Admin APIS](https://support.atlassian.com/organization-administration/docs/manage-an-organization-with-the-admin-apis/) for more details. * A user API key, used to connect to products such as Jira and Confluence. These are managed on a per-user basis. For more details, see [Manage API Tokens for your Atlassian Account](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/) * Bitbucket OAuth Consumer credentials, required when including Bitbucket in the products to discover. See the [Bitbucket OAuth Credentials Setup](#bitbucket-oauth-credentials-setup) section below for detailed instructions. {% hint style="info" %} **Why is an administrator key required?** To provide a complete and accurate view of your users and groups, Veza requires access to Atlassian's User Management and Organizations REST APIs. These APIs contain authorization metadata that is not available using product-level APIs for non-admin users. Veza uses the administrator key strictly for read-only purposes. The integration does not perform any administrative actions or make changes within your Atlassian Cloud environment. {% endhint %} #### Create a User for the Integration We recommend creating a unique user for the integration. The integration user should have read-only permissions to all products to discover, for listing entities and permissions. 1. Log in to the Admin portal at `admin.atlassian.com`. 2. Open the **Users List** and click **Invite Users**. 3. Enter an email address for the invitation. 4. Grant the user access to the products the integration will discover. The user status will change to active once you have accepted the invitation and accessed an Atlassian product. See [Create, Edit, and Delete Users](https://support.atlassian.com/jira-cloud-administration/docs/create-edit-and-delete-users/) for additional guidance. #### Retrieve an Admin API Key Veza connects to the Cloud Admin APIs to collect information about organizations, groups, and users. When creating the API key, you must select **Unscoped** as the key type. Scoped API keys do not return organization data from the Atlassian Admin API, even when the appropriate scopes are selected. {% hint style="warning" %} Atlassian offers two admin API key types: **scoped** (granular permissions) and **unscoped** (full access to all Admin APIs). The Veza integration requires an **unscoped** key because Atlassian's organization-level endpoints (such as `/admin/v1/orgs`) do not honor scoped permissions. A scoped key will cause the integration to fail with a "no organization found" error. Veza uses the key strictly for read-only operations. {% endhint %} 1. Log in to `admin.atlassian.com`. 2. Go to **Settings** > **API Keys**. 3. Choose **Create API key**. 4. Enter an identifying name for the API key. 5. For **Key type**, select **Unscoped**. 6. By default, keys expire in one week. To change the expiration date, pick a new **Expires on** date. 7. Select **Create** to save the API key. Copy the `Organization ID` and `API key` values for configuring the integration on Veza. 8. Click **Done**. The key will appear in the list of API keys. #### Retrieve Product API Key for a User Atlassian product APIs enable access to individual services, such as Jira or Confluence. 1. As the integration user, log in to `https://id.atlassian.com/manage-profile/security/api-tokens`. 2. Click **Create API Token**. 3. Enter a label for the token and click **Create**. 4. Copy the token, which will only appear once. #### Bitbucket OAuth Credentials Setup To enable Bitbucket discovery within the Atlassian Cloud integration, you need to create an OAuth Consumer in your Bitbucket workspace. This provides the necessary credentials for Veza to access Bitbucket repositories, projects, and user permissions. {% hint style="info" %} **OAuth Consumer vs. App Keys** Veza recommends using OAuth Consumer credentials for Bitbucket authentication. While legacy App Keys are still supported, OAuth Consumers are the preferred and more secure method. If you have existing App Keys, you should delete them after successfully configuring OAuth Consumer credentials. {% endhint %} **Create an OAuth Consumer** For more information, see [Atlassian's documentation on creating an OAuth consumer](https://support.atlassian.com/bitbucket-cloud/docs/use-oauth-on-bitbucket-cloud/). 1. From your profile avatar in the top-right, select the Bitbucket workspace you want to connect to Veza. 2. Select **Workspace Settings** > **OAuth consumers** (under **Apps and Features**). 3. Click the **Add Consumer** button to create a new OAuth Consumer. 4. Configure the following parameters for the new Consumer: * **Name**: Enter a descriptive name for the integration (e.g., "Veza Integration") * **Callback URL**: Set to `http://localhost` (this value is required but not used by the integration) * Check the box for **This is a private consumer** 5. Under **Permissions**, check the following boxes: * **Account - Read** * **Workspace Membership - Read** * **Projects - Read** * **Repositories - Admin** {% hint style="warning" %} **Repositories Admin Permission** The **Repositories - Admin** permission is required to discover repository permissions by group membership (e.g., when the Developers group has write access). Without Admin permission, Veza will fall back to user-based permission discovery, which may be significantly slower and could encounter timeout issues in larger deployments. {% endhint %} 5. Click **Save** to create the Consumer. 6. After the Consumer is created, click on it to view its **Key** and **Secret** values. 7. Copy both the **Key** and **Secret** - you'll need these when configuring the integration in Veza. **Legacy App Keys (Not Recommended)** Previous versions of the connector utilized user App Keys for authentication. This method is still supported but no longer recommended. If you are using OAuth Consumer credentials, any previous App Keys should be deleted for security purposes. ### Configuring Atlassian Cloud on the Veza Platform To enable the integration: 1. In Veza, go to **Integrations** and choose **Add Integration**. 2. Pick **Atlassian Cloud** as the integration to add and click **Next**. 3. Enter the required information and *Save* the configuration. | Field | Notes | | -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- | | Insight Point | Choose whether to use the default data plane or a deployed Insight Point. | | Name | A friendly name to identify the unique integration. | | Atlassian Url | Host URL, e.g. `veza.atlassian.net`. | | Admin API Key | Admin token from the previous steps. | | Products | Comma-separated list of products to discover (`jira, confluence, bitbucket`). | | Product User | Integration username, e.g. `integration@veza.com`. | | Product Token | User API token from the previous steps. | | Bitbucket OAuth Key | OAuth Consumer Key from the Bitbucket OAuth Consumer setup (required when `bitbucket` is included in Products). | | Bitbucket OAuth Secret | OAuth Consumer Secret from the Bitbucket OAuth Consumer setup (required when `bitbucket` is included in Products). | | Workspace | Bitbucket workspace name (required when `bitbucket` is included in Products). This should match the workspace name shown in your Bitbucket login URL. | | Skip Branch Protection Discovery | Optionally omit extraction of [branch protection policies](#branch-protection-policies) | > If you do not enter an admin API key, Veza can still extract data from Jira & Confluence. It will not, however, be able to correlate Jira & Confluence users with users from identity providers. \| Enable Usage for Lifecycle Management | Toggle to enable [Lifecycle Management](/4yItIzMvkpAvMVFAamTf/integrations/integrations/atlassian/provisioning.md) capabilities | ### Enable Lifecycle Management Atlassian Cloud supports automated user lifecycle management including user provisioning, group membership management, and deprovisioning across all Atlassian products (Admin, Jira, Confluence, and Bitbucket). To use Atlassian Cloud with Lifecycle Management, you will need the following additional configuration: * **SCIM URL** - The SCIM endpoint URL for your Atlassian organization * **SCIM Token** - Authentication token for user provisioning and deprovisioning operations * **SCIM Organization ID** - Your organization's SCIM identifier * **Admin API Key** - Required for group management and cross-system coordination The integration uses Atlassian's SCIM API for user provisioning and deprovisioning, while group membership management uses the Atlassian Cloud Admin API. Note that `product_token` and `product_user` are only required if you're also performing discovery operations (viewing Jira projects, Confluence spaces, and Bitbucket repositories) and are not needed for lifecycle management operations. For detailed configuration instructions, supported actions, and workflow examples, see the [Atlassian Cloud Lifecycle Management guide](/4yItIzMvkpAvMVFAamTf/integrations/integrations/atlassian/provisioning.md). ### Notes and Supported Entities #### Atlassian Cloud Admin * Atlassian Cloud Tenant * `tenant_unique_id` * Atlassian Cloud User * `account_type` * `account_status` * `access_billable` * `product_access` * `user_type` Limitations: * **Admin API access**: The integration user must be assigned to Bitbucket as an administrator to discover group permissions on repositories. This is optional. Without admin permission, the connector will discover users' effective permissions, which can be slower and will not indicate when these are derived through group membership. * Atlassian Cloud Admin is not able to discover external (unmanaged) users. [External users](https://support.atlassian.com/user-management/docs/what-are-managed-accounts/) have emails belonging to a domain outside of your organization, added manually to your Atlassian organization. * Atlassian and Jira support adding groups to groups to reduce duplication of entitlements, but do not return the details on group assignments within groups via their public API. The integration will discover all users that are members of a group directly or indirectly, but will not know if the user is directly assigned or inherited by group membership. #### Bitbucket Cloud * Bitbucket Cloud Project * `name` Project name * `key` Project Key * `description` Project Description * `is_private` True if the project is private * `has_publicly_visible_repos` List of publicly visible repos * Bitbucket Cloud Repo * `name` * `is_private` * `slug` * `project_key` * `fork_policy` * `default_branch_protected` * Bitbucket Cloud Group * `name` * Bitbucket Cloud User * `key` User ID. * `emailAddress` User's email address. * `name` User's name * `displayName` User's display name * `active` True if the user is an active user * `deleted` True if user deleted * Bitbucket Cloud Role * `project_key` Key of the project for the respective role **Branch Protection Policies** For Bitbucket Cloud repositories, Veza collects branch protection policies on the default branch. The property `default_branch_protected` will be `True` if any type of branch protection is configured. Additionally, the following boolean properties are `True` indicating the specific type of policy: * `allow_auto_merge_when_builds_pass` * `require_passing_builds_to_merge` * `enforce_merge_checks` * `require_approvals_to_merge` * `require_default_reviewer_approvals_to_merge` * `require_tasks_to_be_completed` Gathering branch protection policies will increase extraction time. You can disable this option when configuring the Atlassian Cloud integration. #### Confluence Cloud * Confluence User * `account_type` * `email` * `external_collaborator` * Confluence Space * `type` * `status` * `id` * `unlicensed_access` * `anonymous_access` #### Jira Cloud * Jira Group * Jira Instance * Jira Project * Jira Project Role (shown in Veza as ` - `) * Jira User Notes: * Due to Atlassian API limitations, the integration cannot currently retrieve Jira user attributes: `createdAt`, `lastLoginAt`, `deactivatedAt`, and `lastChangeAt`. * As roles are defined on a per-project basis, and role names can be duplicated across a Jira Cloud instance, project roles are translated as ` - ` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/atlassian.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.