Team Secrets for Jira Server - Using a Custom S3 Bucket

NOTE: this feature and these instructions apply only to the Server version of Jira, not the Cloud/hosted version provided by Atlassian.

Team Secrets for Jira lets you to store encrypted secrets in an AWS S3 bucket of your choosing.  Simply create a new bucket and apply the policies listed below, then configure the custom S3 bucket in Jira to enable this feature.

1. Log into your company’s AWS S3 Management Console

2. Click on “Create bucket” to create a new bucket - NOTE: we recommend creating a new bucket and NOT using an existing bucket to avoid unwanted data impact.

NOTE: you are responsible to AWS for any costs and fees associated with this S3 bucket, including storage charges.  For more details, see Cloud Storage Pricing.



3. Choose a bucket name that follows your organization’s naming conventions - NOTE: it must be unique across all existing bucket names in S3.


4. Select the region where you want the bucket to be located.


5. Do not provide any inputs in the “Copy settings from an existing bucket” section and click “Next”.



6. On the “Set properties” tab, scroll down and select “Default encryption”. choose “AES-256” then click “Save”, then “Next”.

NOTE: Because Team Secrets uploads are already encrypted, this step is optional, but highly recommended.  For more details, see: Amazon S3 Default Encryption for S3 Buckets



7. Leave all settings on the “Set permissions” tab as default and click "Next"



8. Confirm your settings on the “4. Review” tab and click “Create bucket”



9. Confirm you can see the new bucket in your S3 console and that the Access column shows “Not public”.


10. Make note of the bucket name and region as we will need these details when configuring Jira.




11. Click on the bucket name to view the bucket details.  You should see an empty bucket.



12. Click on the “Permissions” tab.


13. Click on “Bucket Policy” and paste in the following bucket policy:

NOTE: This bucket policy gives a specific IAM user from the Team Secrets AWS account access to Get, Put, and Delete objects in this bucket. This user will not be able to access any other buckets or services in your AWS account. For more details on bucket policies, refer to: Using Bucket Policies and User Policies

Make sure you replace [YOUR_BUCKET_NAME] with your actual bucket name.

Click “Save”.


    "Version": "2012-10-17",
    "Id": "Policy1511782738232",
    "Statement": [
            "Sid": "Stmt1511782736332",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::438365261431:user/team-secrets-customer-s3-access"
            "Action": [
            "Resource": "arn:aws:s3:::[YOUR_BUCKET_NAME]/*"


14. Click “CORS configuration” and add the following policy:

NOTE: This configuration ensures that API calls can be made from Jira to S3 since the domain of your Jira instance and your S3 bucket will be different.  For more details on CORS refer to: Cross-Origin Resource Sharing (CORS)

Click “Save”


15. All remaining settings for the bucket can remain as set by default.

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="">


16. In your Jira instance, click the gear icon and choose “Add-ons”

17. Select “Manage add-ons” from the left menu.

18. Click “Team Secrets for Jira” and then choose “Configure”


19. Select the “Store encrypted secrets in a custom S3 bucket” checkbox.


20. Enter the “Bucket name” and select the “Region” from the dropdown.  For more details on regions, see: Regions and Availability Zones


21. Click “Save”. If everything is configured properly, you’ll see a message that says “Your custom S3 settings have been saved and validated.”


Team Secrets for Jira is now configured to store secrets in your custom S3 bucket!

If you have questions, issues or feedback, please contact us at