We talked to Automation Consultant’s Josh Pearce to better understand the role of API interactions and the benefits of using API tokens. Josh has worked in Consultancy at Automation Consultants for over 5 years, and is now focused on expanding the services Automation Consultants delivers to new and existing customers in the United States.
Resolution: What’s the reason that you started looking for a solution to secure interactions with the Jira REST API?
Josh: As Platinum Solution Partners, we have internal Jira systems that are used on a regular basis. When not working on customers projects, our consultancy team will spend time reviewing and streamlining our internal processes within Jira, using automation and scripting where possible, which typically involves using the REST API. The particular example that led to us using your app was a Python script which retrieved data from Jira and generated Sales reports.
We currently have SSO on our Jira instance. To avoid having the team code usernames and passwords into their scripts, which can provide gateways into our other systems if the script was ever compromised, we wanted to make use of an API token system. This would also solve the additional problem posed by the fact that our passwords expire after 60 days. This is where your brilliant app came into play!
The team can now interact with Jira’s REST API without having to hardcode their password, which needs to be regularly updated and would be a higher security threat if exposed.
R: Were you and your colleagues used to managing access to other APIs with tokens?
J: Our consultancy team works with a wide range of customer platforms, to facilitate the migration of data or to create bespoke integrations, and this will typically involve the use of API tokens for communication to, and between, these platforms. As an Atlassian Platinum Solution Partner, we are also extremely familiar with using Atlassian Cloud’s API Token system.
R: Are only your consultants using the Jira REST API?
J: We have three main technical teams that would benefit from the token functionality: Consultancy, Support and Development; however, the consultancy team will be the predominant users of Jira’s REST API, and therefore the API Token Authenticator Jira app.
The wider company will also make use of the tokens to retrieve datasets from Jira in order to generate reports and perform analysis.
R: Can you mention other examples of scripts and connections that are important for how you use Jira?
J: As previously mentioned, the integrations are intended to automate our internal processes. One example is planning consultancy projects, which we do using Jira, Tempo Timesheets and Tempo Planner’s REST APIs.
AC has automated internal service management with the Tempo and Jira APIs
We also run services in AWS that are connected to aspects of our website used for customer engagement. This workflow will normally involve calls to Jira’s API to log information as issues, as we try to centralise all our processes within Jira.
R: What’s your security best practice for token management? Do you apply expiration dates, monitor usage, etc?
J: We absolutely make use of token expiration, which is great for applying an upper limit of token expiry, as the team can then choose if they would like the token to expire sooner based on the use case. We have also removed the ability to authenticate against the REST API using passwords and have restricted the use of the REST API to a range of IPs as an extra security measure. This will ensure that the team are on the company network to make REST API calls.
Thanks to API Tokens, we have been able to disable password-based authentication to Jira’s API and made sure connections can only be made from our company network
R: Do you have any feedback about the app?
J: Resolution’s API Token Authentication has all the functionality we were expecting and more. We particularly liked the extra levels of security that are provided like token expiration, restricting who can create tokens, etc. This made it an easy decision for us and we would definitely recommend this to any Atlassian customers who are looking for a more secure and reliable way to interact with Jira’s REST API on Server or Data Center.
If I could make a wish to add something in the future, it would be great to see an audit log for token usage, and whether the token was accepted or rejected and the reasons why. For example, the token has expired or is being called from outside the accepted IP range.
(Note: The product’s upcoming release will include an audit log where IP range restriction violations are included among other information.)
About Automation Consultants
Automation Consultants (AC) is an Atlassian Platinum Solution Partner and AWS Select Partner. Their Consultancy team have a wealth of experience with Atlassian, but also with integrations, infrastructure, security and networking that supports business-critical applications. To provide the best result for their clients, they hold accreditations across a range of technologies and frameworks, from AWS to Scaled Agile, in addition to Atlassian Certifications.
A fundamental piece in their way of working is the use of ahighly customized Jira instance, where Jira’s REST API is regularly used for automations and bespoke integrations.Automation Consultants recently started using resolution’s API Token Authentication to secure all those interactions.