Skip to content
Latchkey

How to Use Secured Variables in Bitbucket Pipelines

Variables defined in repository, deployment, or workspace settings appear as environment variables; marking one secured masks its value in logs.

Define variables in Repository settings, on a deployment environment, or at the workspace level, then reference them as $NAME in script:. Secured variables are hidden in the UI and masked in logs.

Steps

  • Add the variable under Repository settings to Repository variables (or workspace/deployment).
  • Tick Secured for any secret so its value is masked.
  • Reference it in scripts as $NAME.

bitbucket-pipelines.yml

bitbucket-pipelines.yml
pipelines:
  default:
    - step:
        name: Publish
        script:
          - echo "Publishing as $NPM_USER"
          - npm config set //registry.npmjs.org/:_authToken $NPM_TOKEN
          - npm publish

Gotchas

  • Precedence is deployment, then repository, then workspace; the most specific scope wins.
  • A secured value is masked only if it appears verbatim; do not base64 or split it in logs.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →