How to Use a Secured Deployment Variable in Bitbucket Pipelines
Define the secret as a secured variable on the deployment environment; it is masked in logs and only visible to steps that use deployment: for that environment.
Secured variables are write-only and masked in the build log. Defining one on a deployment environment (rather than the repository) also scopes it, so the staging step cannot read the production secret.
Steps
- Open Repository settings to Deployments and pick an environment.
- Add a variable, check Secured, and save the secret value.
- Reference it as
$NAMEin a step that setsdeployment:to that environment. - Never echo it; Bitbucket masks known secured values automatically.
Pipeline
bitbucket-pipelines.yml
pipelines:
branches:
main:
- step:
name: Deploy with secret
deployment: production
script:
- curl -sf -H "Authorization: Bearer $DEPLOY_TOKEN" https://api.example.com/deploy
- echo "Deploy triggered (token masked in logs)"Gotchas
- Masking only matches the exact stored value; do not base64 or transform it before logging.
- A secured deployment variable is only available to steps that name that environment.
- Secured variables are write-only in the UI; you cannot read them back, only overwrite.
Related guides
How to Deploy Through Test, Staging, and Production Environments in Bitbucket PipelinesPromote a build through test, staging, and production in Bitbucket Pipelines using the deployment key on each…
How to Run Database Migrations Before a Deploy in Bitbucket PipelinesRun database migrations before the deploy step in Bitbucket Pipelines so the schema is updated first and a fa…