Offboarding SonarCloud project admins (handling of API keys)

Dear Community,

I’d like to understand more the API key usage within SonarCloud and how “offboarding” works for “project admins”. Let’s say:

  • I have joe@bitbucket setup with “Create Project” rights.
  • Joe creates a project and receives an API key, which can be used by our CI pipeline to perform scans - all good
  • Joe decides to leave the company and gets offboarded (removed) from company’s BitBucket account
  • Would all of Joe’s API keys get invalidated, potentially rendering CI pipeline scans inoperable?
  • Is there a way to “centralise” these API keys - like collect them under the actual Org owner (who pays the bills) - whose access cannot be cancelled? (Actually, what happens if the “SonarCloud Org owner” leaves the company and their access gets revoked?)

I hope you understand my concerns here, I’m pretty sure there is a reasonable way to do this, other than retroactively handle the situation…

Thanks for all the answers in advance!

Hi @Zoltan_Penzeli , welcome to the community!

  • Would all of Joe’s API keys get invalidated, potentially rendering CI pipeline scans inoperable?

Absolutely, yes.

  • Is there a way to “centralise” these API keys - like collect them under the actual Org owner (who pays the bills) - whose access cannot be cancelled? (Actually, what happens if the “SonarCloud Org owner” leaves the company and their access gets revoked?)

A token is always bound to a user account and this account must have the “Analyze” permission on the projects. But, this account does not have to be the account of some real employee. Usually, I advise to create a technical account, on Bitbucket, ci@bitbucket for example, log with this account on SonarCloud, give it the appropriate rights on the organization and projects, and use it to generate the CI tokens.
The benefits are: the tokens are centralized on a single account, which won’t be disabled if someone leaves the company, moves to another team with different accesses, or be inaccessible if that person is on holidays and a token rotation is required, for example.

Once a token has been created from a given account, it can’t be moved to another account. This means that if Joe is already the owner of several tokens, you’ll have to generate new tokens from the new technical account, and update your existing pipelines to use the new tokens.

HTH,
Claire

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.