Recommended practices for managing secret data in Bitbucket Pipelines

Related content

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Cloud - This article applies to Atlassian products on the cloud platform.

   

Summary

 You may come across requirements where you would want to exchange data (secrets, keys) between pipeline build steps.

Solution

The following are the recommended practices for managing data of the secret type (tokens, credentials) in pipeline steps.

Secured Variables:

  • In bitbucket pipelines, you can secure a variable, which means it can be used in your scripts but its value will be hidden in the build logs. If you want to edit a secure variable, you can only give it a new value or delete it. Secure variables are stored as encrypted values. You can secure a variable by clicking on the padlock button. Please refer to the Pipelines secured variables document for more details about configuring secured variables.

  • You can store tokens, credentials, or any other secrets as a secured variable and use it across pipelines and build steps. Limitation: The maximum length of all combined pipeline variable names and values should not exceed 120K characters.

  • There is an option to generate and add SSH keys in pipelines. Please refer to this document for more details. However, you can also use multiple existing keys with a pipeline by adding them as secured variables and referencing them in the bitbucket-pipelines.yml file. Follow the steps mentioned in the document to set up and use multiple SSH keys in your pipeline.

Exchanging data (secrets or tokens) between build steps through Artifacts:

  • The files generated in a step can be shared with the following step or exported to keep the artifacts after a step completes. Currently, there is no option to export and share variables between build steps as a secret.
              Note: BCLOUD-20294 tracks a feature request to provide an option to share the variables between pipeline steps.

  • If any tokens or secret data are generated within a step, they can be saved as a file and exported as an artifact to share with subsequent steps.
             Limitation: Artifacts are stored for 14 days following the execution of the step that produced them. Hence, artifact files containing such data should be manually deleted as soon as the pipeline is completed.

  • Make sure that the tokens are in an encrypted format and are not exposed as plain text. Set the token expiry to a maximum of 5 mins (depending upon the build time requirement), so that the exported token artifact will be invalidated once the pipeline is completed.

  • If there is no option to set an expiration date for tokens, we recommend that you save them as a secured variable. If you accidentally expose such tokens in build logs, you can download a copy of the build log and delete the log from the pipeline Or, if the tokens are exported as an artifact, please consider deleting them as soon as the pipeline build is completed.



Last modified on Dec 2, 2022

Was this helpful?

Yes
No
Provide feedback about this article

Related content

Powered by Confluence and Scroll Viewport.