Bamboo provides ways to verify that remote agents are allowed to connect to the Bamboo server. This provides improved security for sensitive information in Bamboo.
- Bamboo prevents unknown remote agents from connecting to the Bamboo server.
- Remote agents need to be manually approved by an administrator before they can communicate with the Bamboo server in any way.
- You can enable security token verification for additional level of safety.
Remote agent authentication (the manual agent approval) doesn't interfere with security token verification an both features can be enabled or disabled independently.
Note that Elastic agents do not have to be approved.
Authenticating remote agents
To enable agent authentication:
- Click the icon in the Bamboo header and choose Overview.
- Then select Agents (under 'Build Resources').
- Click Enable Remote Agent Authentication, and then Confirm.
Now you can approve access for a particular remote agent. To do this, click on the Agent Authentication tab (under 'Remote Agents').
See Bamboo remote agent installation guide for details about installing a remote agent.
Security token verification
Enable token verification to ask all remote agents to provide the token during the initial contact with the Bamboo server. Once you enable the verification, all agents that try to connect to Bamboo without the token are rejected before leaving any trail in Bamboo. By default, the feature is disabled for Bamboo Server.
This feature doesn't affect elastic agents.
Enabling security token verification
To enable security token verification, go to Bamboo administration > Build resources > Agents.
When you enable the verification, all agents that are already authenticated and connected continue to work. In other words, no running builds should be stopped or broken when the feature gets enabled. However, on server restart or agent restart each agent is required to have a correct token.
There are problems with backward compatibility. If the feature is enabled, old agents (from older Bamboo versions) will not be able to connect. Users need to download the new agent JAR.
Viewing the current security token
To view the current token, go to Bamboo administration > Build resources > Agents > Install remote agent page.
Each time the feature gets enabled, a new security token is generated, which means that disabling and re-enabling security token verification can be used to reset the token.
- If the agent's IP address changes, perhaps because DHCP is being used, then you will have to reapprove the agent when it next tries to connect using that different IP address.
- If you know the IP range of the remote agents, then you can allow the remote agents to connect from specific subsets. It is possible to work with wildcard characters to approve a range of IP addresses provided these remote agents keep the same UUID after a restart. Go to Agents > Agent Authentication > Edit remote agent authentication IP, where you can use wildcard characters to match multiple IP addresses.
- If you revoke access for a connected agent, the agent will remain connected and will continue to run. However, if the agent is subsequently restarted, it will not be able to connect.
- If you enable remote agent authentication, having previously revoked access for connected agents and disabled remote agent authentication, then you get the option to approve access for all connected agents at once. If you don't approve this, the agents stay connected and continue to run, but you will need to manually approve them when they next try to connect.