How to Use Secured Variables in Bitbucket Pipelines
Variables defined in repository, deployment, or workspace settings appear as environment variables; marking one secured masks its value in logs.
Define variables in Repository settings, on a deployment environment, or at the workspace level, then reference them as $NAME in script:. Secured variables are hidden in the UI and masked in logs.
Steps
- Add the variable under Repository settings to Repository variables (or workspace/deployment).
- Tick Secured for any secret so its value is masked.
- Reference it in scripts as
$NAME.
bitbucket-pipelines.yml
bitbucket-pipelines.yml
pipelines:
default:
- step:
name: Publish
script:
- echo "Publishing as $NPM_USER"
- npm config set //registry.npmjs.org/:_authToken $NPM_TOKEN
- npm publishGotchas
- Precedence is deployment, then repository, then workspace; the most specific scope wins.
- A secured value is masked only if it appears verbatim; do not base64 or split it in logs.
Related guides
How to Track Deployments With Environments in Bitbucket PipelinesMark a Bitbucket Pipelines step as a deployment with the deployment key so it shows up in the Deployments das…
How to Build and Push a Docker Image in Bitbucket PipelinesBuild a Docker image in Bitbucket Pipelines by enabling the docker service for a privileged daemon, then push…