How to grant branch permissions to OAuth consumer?

I have a Bitbucket Pipelines script that wants to push some changes back to the master branch.

If branch permissions are enabled (which I have) OAuth seems to be the preferred way to do that (see docs on pushing back using alternative authentication methods). So I set up an OAuth consumer for my org workspace but unfortunately, my script fails with Permission denied to update branch master.

The OAuth consumer has read/write permission to the repository but I cannot select it in the branch permission settings to allow write access. I have also tried to select Administrators without success.

If I set the write branch permission to Everyone it obviously works.

Does anyone know a way to make this work? Did I understand the docs on pushing back using alternative authentication methods wrongly?

Hey @tbinna

I have reached out to the product team. They should get back to you soon.

Thanks.

Hey @tbinna,
unfortunately there is no real good answer to this problem yet.
There are some options, but they are not great:

• create an app password and inject that into the build to push back to the repo. The risk here, is that someone could extract it from your build and use the app password to access other repositories and data (since the app password can access the same data that your user can access - but respecting the configured scopes for the app password).
• create a separate Bitbucket user that you treat as a bot user, that only has access to that repository. You can then use that bot user (e.g. through an app password) to push back to the repo.

We have a couple of feature requests open that would improve this:

• https://jira.atlassian.com/browse/BCLOUD-20344
• https://jira.atlassian.com/browse/BCLOUD-19136