Atlassian Bamboo
AtlassianCI/CD6 credentials
Database Password
atlassian-bamboo / database-password
Bamboo stores database connection settings for external databases in its home configuration. The database username and password are operator-supplied credentials used by Bamboo to connect to the Bamboo database.
Looks like
pattern<property name="hibernate\.connection\.username">[^<]+</property>\s*<property name="hibernate\.connection\.password">[^<]*</property><property name="hibernate\.connection\.password">[^<]*</property>Location
$BAMBOO_HOME/bamboo.cfg.xmlBamboo home configuration file
Bamboo home backups, migration bundles, snapshots, support exports
Notes
Database access can expose build configuration, deployment project metadata, stored credentials metadata, user-directory state, and plugin configuration. Bamboo home backups should be treated as credential-bearing artifacts.
Local User / Administrator Password
atlassian-bamboo / local-user-admin-password
Bamboo local users, including administrators created during setup or by operators, authenticate with passwords stored in the configured user directory. For internal directories, password material is database state rather than a plaintext file.
Looks like
patterncwd_user.*credential[^\s:@]+:[^\s:]+Location
internal user directory tables, including cwd_user credential data
/userlogin.actionBamboo web login for users and administrators
/rest/api/*Bamboo REST API Basic authentication in legacy scripts
scripts and integrations that embed Bamboo usernames and passwords
Notes
There is no universal shipped Bamboo administrator password. The setup flow or an operator creates administrator credentials, and later users may be local, LDAP-backed, Crowd-backed, SSO-backed, or externally managed.
Personal Access Token
atlassian-bamboo / personal-access-token
Bamboo personal access tokens replace username and password authentication for scripts and external applications. Atlassian documents them as bearer tokens for REST API calls and for downloading artifacts, logs, and agent installers.
Looks like
exampleNDc4NDkyNDg3ODE3OstHYSeYC1UgXqRacSqvUbookcZkAuthorization:\s*Bearer\s+[^\s]+Location
BAMBOO_TOKEN, BAMBOO_PATautomation scripts, curl commands, release tooling, CI/CD configs
REST client debug logs when Authorization headers are printed
deployment-platform and CI/CD secret stores
Notes
A Bamboo PAT carries the creating user's permissions. Admins can revoke tokens, but cannot create tokens on behalf of users according to Atlassian's PAT documentation.
Repository / Shared Credential
atlassian-bamboo / repository-credential
Bamboo plans and linked repositories store credentials used to access source-code repositories and other external systems. These include username/password pairs, access tokens, and shared credentials reused by multiple plans.
Looks like
pattern(password|passphrase|token|accessKey|secretKey)Location
Bamboo plan, repository, and shared-credential records
Bamboo Specs repositories and deployment scripts
Bamboo shared credentials and linked repository authentication
Bamboo exports and database backups
Notes
Credentials stored for repository polling and checkout often reach outside Bamboo into Bitbucket, GitHub, GitLab, artifact repositories, container registries, and deployment targets. A leaked Bamboo database or export can therefore expose credentials for many downstream systems.
SSH Private Key
atlassian-bamboo / ssh-private-key
Bamboo can use SSH keys for linked repositories, deployments, and remote systems reached by build tasks. The private key is the secret half of the credential and may be stored in Bamboo or on build agents.
Looks like
pattern-----BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY-----Location
Bamboo shared credentials and linked repository credentials
~/.ssh/id_*, ~/.ssh/*_bamboo*Bamboo server and remote agent filesystems
accidentally committed deployment keys in Bamboo Specs repositories
job artifacts, logs, or exports that accidentally include key files
Notes
The key's blast radius is determined by the systems that trust the public key: source repositories, deployment hosts, artifact stores, or cloud infrastructure used by Bamboo jobs.
Build / Deployment Variable Secret
atlassian-bamboo / build-variable-secret
Bamboo variables can be referenced by plans, jobs, tasks, and deployments. Operators frequently place passwords, tokens, and API keys in Bamboo variables or password fields for build and deployment use.
Looks like
pattern\$\{bamboo\.[A-Za-z0-9_.-]+\}Location
Bamboo global, project, plan, and deployment variable storage
Bamboo Specs repositories and scripts using ${bamboo.*} variables
build logs when tasks echo expanded variables
Notes
Atlassian documents that variables are used in task fields and that password fields are treated specially. Secret values still leak when copied into scripts, echoed by jobs, written to artifacts, or exported through backups.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.