Summary

• This documentation article describes the precedence of AWS variables and their hierarchy in relation to variables used within Bitbucket Cloud Pipelines builds
• There can be situations that arise where AWS commands are used to define or reference a variable within the scope of a pipelines build - but instead of receiving the expected output, an error is encountered instead due to conflicting variable values between pipelines and AWS

AWS Variable Precedence

As per the official AWS documentation, the hierarchy of AWS variables from highest to lowest precedence is as follows:

1. Command line options

2. Environment variables

3. CLI credentials file

4. CLI configuration file 

5. Container credentials

6. Amazon EC2 instance profile credentials

Pipelines Variable Precedence

In the context of a Bitbucket Cloud Pipelines build, all variables defined in Bitbucket Cloud act as environment variables as these are pulled from your settings and operate within your build with the hierarchy from highest to lowest precedence as follows:

1. Workspace variables - these are variables that can be used by any of your repositories' builds within your workspace, these override repository variables of the same name
2. Repository variables - these are variables that can only be used by the specific repository that they are configured on, these override deployment variables of the same name
3. Deployment variables - these are variables that can only be used by the specific repositories' build environment that they are configured on
   
   

Therefore, Bitbucket Cloud variables operate at the second-highest level of precedence in relation to the AWS variable hierarchy and will override anything configured below this level.

Example Scenarios/Solutions

With reference to the examples/documentation provided above, here are some examples of scenarios that may arise when working with AWS variables in Bitbucket Cloud Pipelines.

Scenario #1 - The user has configured the CLI credentials file but the variable value is incorrect and has caused the build to fail

• In this example, the user configured AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_REGION as pipelines repository variables.
• The user was executing the aws configure set command in their pipelines build configuration to assign a different value to their AWS-equivalent variables (aws_access_key_id, aws_secret_access_key, region)
• The build failed as the commands that followed were taking the values that were already assigned to the pipelines repository variables instead as these act as environment variables 
• Therefore, with reference to the AWS hierarchy listed above, environment variables take precedence over the CLI credentials file, and thus the repository variable values were used as a result

Scenario #2 - The user has configured a deployment variable but the variable value is incorrect and has caused the build to fail

• In this example, the user had AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY configured as pipelines deployment variables on their "dev" environment as each environment required different credentials based on their respective AWS ECS implementation
• The user was executing the build with reference to their AWS-equivalent variables (aws_access_key_id, aws_secret_access_key) for authentication but did not use a CLI credentials file
• The build failed as the user did not define the "dev" environment in their pipeline build configuration for that particular build step
• Therefore, with reference to the hierarchy listed above, both an environment variable and a CLI credentials file could not be found and therefore the build failed as a result