| title | shortTitle | intro | versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
Managing access for a migration from Bitbucket Server |
Manage access |
Before you use {% data variables.product.prodname_importer_proper_name %}, make sure you have appropriate access to both the source and destination of your migration. |
|
{% data reusables.enterprise-migration-tool.required-access-intro %}
To migrate a repository from Bitbucket Server to GitHub, you need sufficient access to both the source (your Bitbucket Server instance) and the destination (an organization on {% data variables.product.prodname_dotcom %}). To have sufficient access, you'll need all of the following things.
- A required role in the destination organization on {% data variables.product.prodname_dotcom %}
- A {% data variables.product.pat_generic %} that can access the destination organization on {% data variables.product.prodname_dotcom %}
- The {% data variables.product.pat_generic %} must have all the required scopes, which depend on your role and the task you want to complete.
- If the destination organization uses SAML single sign-on for {% data variables.product.prodname_dotcom %}, you must authorize the {% data variables.product.pat_generic %} for SSO.
- On Bitbucket Server, required permissions and SFTP or SMB access
Additionally, if you use IP allow lists in the destination organization, you may need to configure the allow lists to allow access by {% data variables.product.prodname_importer_proper_name %}.
{% data reusables.enterprise-migration-tool.about-the-migrator-role %}
For the destination organization on {% data variables.product.prodname_dotcom %}, different roles are required for different tasks.
{% data reusables.enterprise-migration-tool.gei-required-roles %}
To run a migration, you need a {% data variables.product.pat_generic %} that can access the destination organization on {% data variables.product.prodname_dotcom %}.
{% data reusables.enterprise-migration-tool.github-pat-required-scopes %}
To migrate from Bitbucket Server, you need:
- The username and password of a Bitbucket Server account that has admin or super admin permissions
- If your Bitbucket Server instances runs on Linux, SFTP access to the Bitbucket Server instance (see SSH keys). In general, if you can access the server via SSH, then you can also use SFTP.
- If your Bitbucket Server instance runs on Windows, file sharing (SMB) access to the Bitbucket Server instance
If your Bitbucket Server instance runs on Linux, you must use an SSH key that meets the following requirements:
- Does not have a passphrase
- Uses one of the following ciphers
aes256-ctr3des-cbcaes128-cbcaes192-cbcaes256-cbcblowfish-cbctwofish-cbctwofish192-cbctwofish128-cbctwofish256-cbcarcfourarcfour128arcfour256cast128-cbcaes128-ctraes192-ctr
If you receive an error like cipher name aes256-ctr for openssh key file is not supported when running a migration, your SSH private key uses an unsupported cipher. For more information about how to generate a compatible private key, see AUTOTITLE.
To allow someone other than an organization owner to run a migration or download migration logs, you can grant the migrator role to a user or team. For more information, see About the migrator role.
You can grant the migrator role using either the {% data variables.product.prodname_bbs2gh_cli %} or the GraphQL API.
- Granting the migrator role with the {% data variables.product.prodname_bbs2gh_cli_short %}
- Granting the migrator role with the GraphQL API
To grant the migrator role using the CLI, you must have installed the {% data variables.product.prodname_bbs2gh_cli %}. For more information, see AUTOTITLE.
-
On {% data variables.product.prodname_dotcom %}, create and record a {% data variables.product.pat_generic %} that meets all the requirements for granting the migrator role. For more information, see Creating a {% data variables.product.pat_generic %} for {% data variables.product.prodname_importer_proper_name %}. {% data reusables.enterprise-migration-tool.grant-migrator-role-pat %}
-
Use the
gh bbs2gh grant-migrator-rolecommand, replacing ORGANIZATION with the organization you want to grant the migrator role for, ACTOR with the user or team name, and TYPE withUSERorTEAM.gh bbs2gh grant-migrator-role --github-org ORGANIZATION --actor ACTOR --actor-type TYPE
{% data reusables.enterprise-migration-tool.grant-migrator-role-ghecom %}
{% data reusables.enterprise-migration-tool.grant-migrator-role-graphql %}
Creating a {% data variables.product.pat_generic %} for {% data variables.product.prodname_importer_proper_name %}
{% data reusables.enterprise-migration-tool.creating-a-pat-steps %}
If the destination of your migration uses an IP allow list (either {% data variables.product.company_short %}'s IP allow list feature or your identity provider's (IdP) IP allow list restrictions), you need to configure IP allow lists on {% data variables.product.prodname_dotcom %}.
- If you use {% data variables.product.company_short %}'s IP allow list feature, you must add the {% data variables.product.prodname_dotcom %} IP ranges below to the allow list for the destination organization.
- If you use your IdP's IP allow list to restrict access to your enterprise on {% data variables.product.prodname_dotcom %}, you should disable these restrictions in your enterprise account settings until after your migration is complete.
For more information, see AUTOTITLE and AUTOTITLE.
{% data reusables.enterprise-migration-tool.identifying-githubs-ip-ranges %}
{% data reusables.enterprise-migration-tool.ip-ranges-ghecom %}
In addition, if you are using a blob storage account with firewall rules:
{% data reusables.enterprise-migration-tool.extra-requirements-storage %}