Connect Jira Cloud

This page describes how to connect Jira Cloud to Agentspace.

After you set up your data source and import data the first time, the data store syncs data from that source at a frequency that you select during setup.

Supported versions

The Jira Cloud connector supports version 2 of the JIRA Cloud REST API.

Before you begin

Before you set up your connection, do the following:

  • Verify that you have Jira organization administrator access to the Jira instance and project. With the administrator access, you can set up minimum permissions and provide access privileges to user groups. For information about how to verify Jira organization administrator access, see Verify Jira organization administrator access.

  • (Optional) To retrieve user email addresses from Jira Cloud, even when settings restrict email visibility, install the User Identity Accessor for Jira Cloud app. You must be a Jira Site administrator to install and configure this app. After you install the app, configure it to securely retrieve user email addresses. You might not need to install this app if email addresses are already publicly accessible.

  • To enforce data source access control and secure data in Agentspace, ensure that you have configured your identity provider.

  • To enable OAuth 2.0 and obtain the client ID and secret, see OAuth 2.0 (3LO) apps in the Atlassian developer documentation.

Verify Jira organization administrator access

  1. Login to Atlassian with your user credentials.

  2. Select a Jira app.

    Atlassian home page
    Atlassian home page

  3. Click Settings.

If you see the System option, then you have Jira organization administrator access. Otherwise, request your Jira organization administrator to provide access.

Settings
Settings

Create an OAuth 2.0 integration

  1. Sign in to the Atlassian Developer Console.

  2. Click the profile icon and select Developer console.

    Select developer console
    Select Developer console

  3. Click Create and select OAuth 2.0 Integration.

    Select OAuth 2.0 Integration
    Select OAuth 2.0 Integration

  4. Enter a name for the app.

  5. Select the checkbox to agree to Atlassian's developer terms.

  6. Click Create.

    Create OAuth 2.0
    Create a new OAuth 2.0 Integration

  7. Click Authorization.

  8. In the Authorization type table, select Add for OAuth 2.0 (3LO).

    select-add
    Add authorization type

  9. In the Callback URL field, enter https://vertexaisearch.cloud.google.com/console/oauth/jira_oauth.html.

  10. Click Save changes.

    Save changes
    Save changes

Configure the minimum permissions required for the application

  1. On the application page, click Permissions.

    Select permissions
    Select Permissions

  2. Go to Jira API and click Add.

  3. Click Configure.

  4. Go to the Classic scopes tab.

  5. Click Edit scopes and select the following permissions:

    • read:jira-user
    • read:jira-work

    Edit classic scopes
    Edit Classic scopes

  6. Confirm that the two scopes are selected, and then save your changes.

  7. Go to the Granular scopes tab.

  8. Click Edit scopes and select the following permissions:

    • read:issue-security-level:jira
    • read:issue-security-scheme:jira
    • read:group:jira
    • read:user:jira
    • read:avatar:jira
    • read:audit-log:jira

    Edit granular scopes
    Edit Granular scopes

Minimum permissions

The following tables list the minimum permissions required to create a Jira Cloud connector.

Classic scopes

Permission Usage reason Description
read:jira-work Data ingestion Allows the connector to read details of entities (including issues, attachments, comments, and properties).
read:jira-user Enforce Access Control Lists (ACLs) Allows the connector to read user and group details.

Granular scopes

Permission Usage reason Description
read:issue-security-level:jira Enforce ACLs Enables enforcement of ACLs for issues based on their specific issue security levels.
read:issue-security-scheme:jira Enforce ACLs Enables enforcement of ACLs for issues based on their associated issue security schemes.
read:group:jira Enforce ACLs Allows the connector to read group information in order to enforce ACLs related to group memberships.
read:user:jira Enforce ACLs Allows the connector to read user information in order to enforce ACLs related to individual user permissions.
read:avatar:jira Enforce ACLs Allows the connector to read user and group information to enforce ACLs. Avatar is not used, but is part of the granular scopes that are bundled with groups and users.
read:audit-log:jira Monitor ACLs Allows the connector to read Jira's audit log for ACL verification and monitoring.

Obtain a client ID and client secret

  1. Click Distribution and select Edit.
  2. Select Sharing to enable editing other fields.
  3. Fill out the remaining fields:
    1. For Vendor, enter Google.
    2. For Privacy policy, enter https://policies.google.com.
    3. For Does your app store personal data?, select Yes.
    4. Select I confirm that I've implemented the personal data reporting API checkbox. For more information, see Personal data reporting API.
      Edit distribution
      Edit Distribution

  4. Click Save changes.

  5. Click Settings to copy your Client ID and Client secret.

    Copy client ID and client secret
    Copy your client ID and client secret

Obtain an instance ID and instance URL

  1. Obtain the instance ID:

    1. Open a new tab, copy the instance URL, and append /_edge/tenant_info to the instance URL. For example, https://YOUR_INSTANCE.atlassian.net/_edge/tenant_info.

    2. Navigate to the link to find the cloudId value. The cloudId is your instance ID.

      select
      Obtain your instance ID

  2. Obtain the instance URL:

    1. Go to atlassian.net and sign in with your administrator account.
    2. Select the app you want to sync. For example, sync the first app.
    3. Find the instance URL (the subdomain in the address bar).

Manage user visibility and grant roles

To set the email visibility in the Atlassian account, do the following:

  1. Sign in to the Atlassian Developer Console.

  2. Click the profile icon and select Developer console.

  3. Click the user profile icon and select Manage account.

    manage-account
    Manage account

  4. Navigate to the Profile and visibility.

    profile-visibility
    Profile and visibility

  5. Go to Contact and set the Who can see this as Anyone.

    contact
    Contact

To set the email visibility in the Jira administrator account, do the following:

  1. Sign in to Atlassian with your user credentials.

  2. Select a Jira app.

  3. Click Settings > System.

  4. Select General Configuration in the left pane.

  5. Click Edit Settings.

  6. For User email visibility, select Public.

    select email visibility
    Select email visibility

  7. Click Update.

To grant the Jira administrator the Discovery Engine Editor role in the Google Cloud console, do the following:

  1. In the Google Cloud console, go to the Agentspace page.

  2. Navigate to IAM.

    Go to IAM

  3. Locate the user account which has administrator access in Jira and click the Edit icon .

  4. Grant the Discovery Engine Editor role to the administrator.

To grant a user an administrator role in Atlassian, do the following:

  1. Sign in to Atlassian using an organization administrator account.

  2. Click the menu icon and select your organization. Alternatively, you can go to admin.atlassian.com.

  3. On the Admin page, click the product and select the Manage users button.

    manage-users
    Manage users

  4. Click Groups under User management.

  5. On the Groups page:

    1. Click Create group.
    2. Enter a name for the group.

    create-group
    Create group

This group receives permissions required by the connector. Users added to this group inherit these permissions.The connector uses this group to authenticate and fetch documents.

  1. On the group page, click Add product.

  2. Select User access admin as the role for Jira.

  3. Select Product admin as the role for Jira administration.

    jira-user-access-admin
    Jira user access administrator

  4. Click Grant Access.

  5. Click Add group members to add a user account or group members that the connector uses to authenticate and access the required resources.

    add-group-members
    Add group members

Install and configure User Identity Accessor for Jira Cloud

If user email addresses aren't publicly accessible by default due to privacy settings in Jira Cloud, you must install the User Identity Accessor for Jira Cloud app to securely retrieve user email addresses. If user email addresses are already publicly visible, you might not need to install the app. For more information about restricted email visibility, see Manage user visibility and grant roles.

Roles and permissions

To install and configure the User Identity Accessor for Jira Cloud app, you must have the appropriate administrative role and grant the required app-level permissions.

  • Required role: You must be a Jira Site administrator to install and configure the app.
  • App-level permissions: You must grant the following permissions during the app installation:
    • Read Email Address: Allows the app to securely retrieve user email addresses, even when profile visibility is restricted.
    • App Storage scope: Enables the app to read and write to its storage device.

Install User Identity Accessor for Jira Cloud

To install the User Identity Accessor for Jira Cloud app on your Jira Cloud site, follow these steps:

  1. Navigate to Atlassian Developer Console.

  2. Review the Read Email Address and App Storage scope permissions and click Get app.

    configure-uia-button-jira
    Review permissions and get app

  3. From the Select a site to install this app on list, select the Jira site where you want to install the app. This list displays only the sites for which you have administrator access.

    Note: You must be an administrator of at least one Jira site to install the app.

  4. Click Install to complete the app installation.

Configure User Identity Accessor for Jira Cloud

After you've installed the User Identity Accessor for Jira Cloud app, configure an API key that your external system (for example, your Jira Cloud Connector) uses to securely call the app's web trigger to fetch emails.

Access the configuration page

To access the User Identity Accessor for Jira Cloud app's configuration page, follow these steps:

  1. In your Jira Cloud instance, click the Settings ⚙️ icon in the navigation menu.
  2. Select Apps from the menu.
  3. On the Apps administration page, locate your app, User Identity Accessor for Jira Cloud, in the Manage apps list.

  4. Click Configure or the link associated with your app. The app's dedicated configuration page opens within Jira Cloud.

    configure-uia-button-jira
    Configure the User Identity Accessor for Jira Cloud app

Set up the API key

To set up the API key on the configuration page, follow these steps:

  1. In the API Key Configuration section, specify the secret key for authenticating requests to the app's webtrigger. You can authenticate requests using either of the following methods:

    • Enter your own key: Type or paste your own strong, unique API key into the API Key field. Use a key of at least 20–30 characters with a mix of uppercase letters, lowercase letters, numbers, and symbols.

      save-key
      Enter your own key

    • Generate a key: Click the Generate New Key button. The system generates and displays a strong, random key in the field.

      generate-key
      Generate a key

      Important: Immediately copy the API key displayed in the field. For security reasons, you might be unable to view the full key again after saving or navigating away. If lost, you need to set or generate a new one.

  2. Click Save API Key. A success message confirms that the key is securely saved.

Test the app configuration

Verify if the User Identity Accessor for Jira Cloud app is configured correctly by sending a request from your external system and confirming that user email addresses are returned successfully.

Get the webtrigger URL
  1. On the Apps administration page, locate the Webtrigger URL section, which displays the unique URL specific to your Jira site and this app installation:
    • Your external system must call this URL to request user emails.
    • The URL typically looks like: http://uuid/domain.net/x1/randomId. For example, https://YOUR_INSTANCE_ID.hello.atlassian-dev.net/x1/WEBTRIGGER_ID, where YOUR_INSTANCE_ID is your Jira Cloud instance identifier and WEBTRIGGER_ID is the unique identifier for the webtrigger endpoint generated for your app.
  2. Click the Copy URL button or copy the entire URL.
Configure your external system

  • Configure your external system that needs to fetch Jira user emails with the API key and webtrigger URL obtained in the previous steps.

  • Endpoint URL: The webtrigger URL you copied.

  • HTTP Method: POST

  • Required Headers:

    • Content-Type: application/json

    • X-Api-Key: YOUR_API_KEY

      Replace YOUR_API_KEY with the API key you set or generated in the Set up the API key section.

Example curl command

This example demonstrates calling the User Identity Accessor for Jira Cloud webtrigger, which accepts an array of account IDs and returns the email addresses.

curl --location --request POST 'https://YOUR_INSTANCE_ID.hello.atlassian-dev.net/x1/ENDPOINT_PATH' \
--header 'X-Api-Key: YOUR-API-KEY' \
--header 'Content-Type: application/json' \
--data-raw '{
   "accountIds": [
       "ACCOUNT_ID_1",
       "ACCOUNT_ID_2"
   ]
}'

Replace:

  • YOUR_INSTANCE_ID with your Jira Cloud instance ID
  • ENDPOINT_PATH with the API endpoint path
  • YOUR_API_KEY with the API key you set or generated in the Set up the API key section
  • ACCOUNT_ID with Atlassian account IDs you want to target
Expected response
[{"accountId":"ACCOUNT_ID_1","emailAddress":"EMAIL_ADDRESS_1"},
 {"accountId":"ACCOUNT_ID_2","emailAddress":"EMAIL_ADDRESS_2"}]

Replace:

  • ACCOUNT_ID_X with actual Atlassian account IDs
  • USER_EMAIL_X with user email addresses returned from your API call

Implement security best practices

To confirm the security of your API key, follow these recommendations:

  • Store the API key securely within your Jira Cloud Connector's configuration.
  • Verify that all communication with the webhook URL occurs over HTTPS. This is the default for User Identity Accessor for Jira Cloud webtriggers.

Support for User Identity Accessor for Jira Cloud

Support offerings are available from Google for the User Identity Accessor for Jira Cloud app that can include maintenance and regular updates to keep the app up-to-date. If you encounter any issues or have questions specific to the app functionality, contact Google Cloud Support. For more information, see Getting Cloud Customer Care.

Create a Jira Cloud data store

Console

To use the Google Cloud console to sync data from Jira Cloud to Agentspace, follow these steps:

  1. Sign in to the Atlassian site as a user with organization administrator credentials.

  2. In the Google Cloud console, go to the Agentspace page.

    Agentspace

  3. In the navigation menu, click Data Stores.

  4. Click Create data store.

  5. On the Select a data source page, scroll or search for Jira Cloud to connect your third-party source and click Select.

  6. In the Authentication settings section, enter the Instance URI, Instance ID, Client ID, and Client secret.

  7. Click Login.

  8. Select the site on which the app will be used, and click Accept.

    Choose site
    Choose a site on which to use the app

  9. Click Continue.

  10. In the Advanced options section:

    • Optional. To allow a set of static IP addresses in your system, select Enable Static IP Addresses for registration.

    • In the Max QPS field, enter an integer to define the maximum queries per second to be sent to your Jira Cloud instance. The default value is 12 QPS.

    • In the Jira Identity Sync Forge URL field, enter the URL generated by the User Identity Accessor for Jira Cloud app.

    • In the Jira Identity Sync Forge Client Secret field, enter the client secret configured in the User Identity Accessor for Jira Cloud, which is the API key you generated or created in the Set up the API key section.

    • Click Continue.

  11. In the Entities to sync section, select the entities you want to sync from the following:

    • Issue

    • Attachment

    • Comment

    • Worklog

  12. To filter entities out of the index or ensure that they are included in the index, click Filter.

    Specify filters to include or exclude entities
    Specify filters to include or exclude entities.

  13. Click Save.

  14. Click Continue.

  15. Select the Sync frequency for Full sync and the Incremental sync frequency for Incremental data sync. For more information, see Sync frequency.

    If you want to schedule separate full syncs of entity and identity data, expand the menu under Full sync and then select Custom options.

    Custom options for full data sync.
    Setting separate schedules for full entity sync and full identity sync.

  16. Click Continue.

  17. In the Configure your data connector section:

    1. Select a region for your data store. You cannot change the region later. For more information on multi-regions, see AI Applications locations.

    2. Enter a name for your data connector. You can change the name later.

    3. Optional. To change the data connector ID after entering the name, click Edit and change the value. You cannot change the data connector ID after creating the data store.

    4. Click Create. Agentspace creates your data store and displays it on the Data Stores page.

To check the status of your ingestion, go to the Data stores page and click your data store name to see details about it on its Data page. The Connector state changes from Creating to Running when it starts synchronizing data. When ingestion is complete, the state changes to Active to indicate that the connection to your data source is set up and awaiting the next scheduled synchronization. Depending on the size of your data, ingestion can take several minutes or several hours.

For detailed information on quotas, including default limits and instructions to request higher quotas, see the Quotas and limits.

Enable real-time sync

To enable real-time sync for a Jira Cloud data source connector, follow these steps:

Generate a webhook URL

  1. Navigate to the Agentspace page, and in the navigation menu, click Data Stores.
  2. Select a Jira Cloud data store.

  3. Click View/Edit in the Realtime sync row.

    Jira cloud Realtime sync
    Realtime sync : Disabled state

  4. In the View and edit realtime sync parameters dialog, do the following:

    1. To turn on real-time sync, click the Enable realtime sync toggle.
    2. Enter a value in the Client secret field and copy it. You need this value again when creating a webhook in the Jira administration console.
    3. Click Save.
      Jira cloud enable realtime sync
      Enable real-time sync

  5. After the status of Realtime sync changes to Running, click View/Edit.

    Running
    Realtime sync : Running state

  6. In the View and edit realtime sync parameters dialog, do the following:

    1. Copy the Webhook URL.
    2. Click Close.
      Jira cloud copy webhook URL
      Copy webhook URL

Create a webhook

  1. Sign in to the Jira administration console.
  2. Click Settings and select System.
  3. In the System settings pane, select Webhooks.
  4. Click Create a webhook. For information about webhooks, see Webhooks.
  5. Enter a name for the webhook.
  6. Select the Status as Enabled.
  7. In the URL field, paste the URL copied from Agentspace and append /{issue.id}.

  8. In the Secret field, enter the same value you entered when generating a webhook URL in Agentspace.

    Jira admininstrator seup Webhook
    Webhooks

  9. In the Issue related events section, select the following options:

    Entities Created Updated Deleted
    Issue Yes Yes Yes
    Worklog Yes Yes Yes
    Comment Yes Yes Yes
    Attachment Yes No Yes

    Jira administrator issue related events
    Issue related events

  10. In the Project related events section, select the created, updated, and deleted checkboxes for the Project entity.

  11. Click Create.

Error messages

The following table describes the common error messages, their descriptions, and possible solutions when connecting Jira Cloud with Agentspace.

Error code Error message Description Troubleshooting
JIRA_INVALID_AUTH_1 OAuth setup failed. A token refresh call encountered a problem, possibly related to credentials, the secret manager, or connectivity. Exception details are provided in the full error message. Possible causes and solutions include:
  • Connectivity issues: These generally resolve through internal retries.
  • Invalid credentials: Verify or correct the credentials.
JIRA_INVALID_AUTH_2 Authentication failed. The connector cannot authenticate with Jira Cloud because the user account lacks sufficient API access. Re-authenticate the datastore using administrator credentials.
JIRA_MISSING_PERMISSION_1 Non-admin users are not authorized to get the issue security schemes. A user account without administrator privileges attempted to retrieve the issue security schemes. Grant the necessary administrator permissions to the user account.
JIRA_MISSING_PERMISSION_2 Non-admin users cannot get permission schemes. A user account without administrator privileges attempted to retrieve permission schemes. Grant the necessary administrator permissions to the user account.
JIRA_MISSING_PERMISSION_3 Problem while fetching project permissions. A user account without administrator privileges attempted to retrieve project details. Grant the necessary administrator permissions to the user account.
JIRA_IO_CONNECTION Problem while connecting to Jira. The connector fails to connect to your Jira Cloud instance, indicating a general inability to establish or maintain communication with the Jira server. Verify your Jira URL and cross check your authentication credentials. Verify your Jira instance is operational and your API token or OAuth scopes grant the necessary permissions.
JIRA_INVALID_INSTANCE_ID Failed to fetch the required details from your Jira instance. Please check your Jira Instance ID. The Jira Instance ID must be a UUID. The system fails to retrieve necessary details from your Jira instance because the provided Jira Cloud instance ID is invalid. The Jira Instance ID must be a UUID. Ensure the instance ID you entered is a correct UUID.

Known limitations

  • For unstructured data, each media type has different restrictions. For more information, see Prepare data for custom data sources.

  • For structured data, each document must not exceed 500 KB in size.

  • Application roles with specific, non-empty roles are not supported when granting "Browse project" or security level permissions.

  • Document permissions determined by user custom fields or group custom fields are not supported.

  • Jira Cloud does not allow any restrictions on worklog levels.

  • Attachments added to private comments don't inherit the access restrictions (ACLs) on the comments.

  • Only the previous 20 comments for an issue in Jira Cloud are fetched.

  • The legacy user management model is not supported for integration with Jira Cloud. Only the centralized user management model is supported. For more information, see Atlassian Organization consolidation guide.

Next steps