How to safely export secured variables in bitbucket cloud pipelines

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Cloud - This article applies to Atlassian products on the cloud platform.

Summary

Once a variable is secured, it can not be edited It can only be given a new value or can be deleted. This is the recommended approach.  But, there are use cases where you may need to view or export secured variables. This article describes a possibly secure way to export secured variables in Bitbucket Pipelines.

Solution

Both solutions put the variables in a file that can be edited.  The difference between the two is where the file is stored.

Solution 1:  Create a new branch and add a bitbucket.yaml file. The pipeline step will contain script commands to copy the variable values into a file and export it to a storage solution, like Amazon S3, or a hosted artifact repository like JFrog Artifactory.  In this method, the variable and values can be copied into a text file and exported as an Artifact to Artifactory.

In the below sample pipeline, the secured variable ${AWS_SECRET_ACCESS_KEY} value is copied to a file called "secrets" and exported as an Artifact to a hosted artifact repository like JFrog Artifactory. 

pipelines:
  default:
    - step:
        script:
          - echo ${AWS_SECRET_ACCESS_KEY} > secrets
          - curl -v --user ${username}:${app-password} --data-binary @secrets -X PUT "http://<artifactory server >/artifactory/abc-snapshot-local/remotepath/remotefile"

Once exported, delete the ${username} and ${password} variables, credentials used to authenticate JFrog Artifactory and pipeline build logs. Since the pipeline YAML configuration changes will still be tracked through commits, it is recommended that the newly created branch is also deleted.

Solution 2: Create a new branch and add a bitbucket.yaml file. The pipeline step will contain script commands to copy the variable values into a text file and upload it to the "Bitbucket Downloads" section.

In the below sample pipeline, the secured variable ${AWS_SECRET_ACCESS_KEY} value is copied to a file called "secrets" and exported to the "Bitbucket Downloads" section of a private repository using Bitbucket rest API endpoint "https://api.bitbucket.org/2.0/repositories/<workspace>/<repo-slug>/downloads"

pipelines:
  default:
    - step:
        script:
          - echo ${AWS_SECRET_ACCESS_KEY} > secrets
          - curl -s -u ${usename}:${app-password} -X POST https://api.bitbucket.org/2.0/repositories/<workspace>/<repo-slug>/downloads -F files=@secrets

Download the exported file from the repository's downloads section. Delete the "secrets" file and any authentication variables used along with the pipeline build logs. Delete the branch to remove tracking of the pipeline YAML configuration changes.

These methods allow you to track who exported the variables, and since the files are deleted immediately after viewing, the risk of information leakage to other repository members is minimized.






Last modified on Jan 26, 2024

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.