Recommended practices for managing secret data in Bitbucket Pipelines
Platform Notice: Cloud Only - This article only applies to Atlassian apps on the cloud platform.
Summary
This article covers how to manage secret data in Bitbucket Pipelines using secured variables, SSH keys, and artifact sharing practices.
Solution
The following are the recommended practices for managing data of the secret type (tokens, credentials) in pipeline steps.
Secured variables:
In Bitbucket Pipelines, you can secure a variable, which means you can use it in your scripts, but its value will be hidden in the build logs. If you want to edit a secure variable, you can only give it a new value or delete it. Secure variables are stored as encrypted values. You can secure a variable by clicking on the padlock button. Please refer to the Pipelines secured variables document for more details about configuring secured variables.
You can store tokens, credentials, or other secrets as a secured variable, use them across pipelines, and build steps. Limitation: The maximum length of all combined pipeline variable names and values should not exceed 120K characters.
There is an option to generate and add SSH keys in pipelines. Please refer to this document for more details. However, you can also use multiple existing keys with a pipeline by adding them as secured variables and referencing them in the bitbucket-pipelines.yml file. Follow the steps mentioned in the document to set up and use multiple SSH keys in your pipeline.
There are security risks associated with passing private SSH keys as repository variables:
Repository variables get copied to child processes that your pipelines build may spawn.
All users can retrieve secured variables with write access to a repository.
We recommend that you never pass your own personal SSH key as a repository variable, but instead generate a new SSH key pair for Pipelines that can easily be turned off if it is compromised.
It may be worth using deployment variables, which you can combine with deployment permissions to control access.
Third-party secret provider:
If your organization uses a third-party secret management tool such as Hashicorp Vault to store or cycle secrets, Bitbucket Pipelines can integrate with it to retrieve its secrets as needed. This functionality is available for pipelines using self-hosted and cloud runners. This advanced feature requires you to code middleware specific to your third-party secret provider.
You can check the documentation on this feature here: Third-party secret providers.
Was this helpful?