Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Using different aws credentials in pipeline


Hi, I've a bitbucket pipeline that must have multiple aws credentials for different duties.

In the first lines, I have custom ECR image. To pull it, I created an AWS user for only ECR read only permissions. access-key and secret-key parameters are the keys of that user.

And in this ECR image, I embedded another AWS user's credentials to do the rest of the work (image push etc). But somehow, the credentials that I used for pulling base image running in steps too. Because of this situation, image push is being denied.  

Is the credentials for base image pull being applied pipeline-wide?

And how can I overcome with this situation?

Thank you. 

name: <ECR Image>
access-key: $AWS_ACCESS_KEY_ID

- step
name: "Image Build & Push"
- export ENVIRONMENT=beta
- echo "Environment is ${ENVIRONMENT}"
- make clean
- make test
- docker tag ....
- docker push .....


1 answer

@oguzhansuch syntax you provide in the beginning of the pipeline is indeed pipeline-wide.

But in each step it should be overridden. This is the question how you configure environment variables specifically for push step.

You also if not succeed, can do some workarounds and use aws configure with different variables nasmes (e.g. AWS_ACCESS_KE_ID_PUSH), BUT I have better solution that should match your case.


We have such feature in bitbucket repos as Deployments where you can setup environment, for example, call it your "beta" and put there variables Specifically for your push.

There can be aws access key pair and other variables you need. Deployments variables will override your piepline-wide variables for such deployment specifically, and not touch other steps.

 See the documentation

Basically, your pipeline after deployment's setup in the separate bitbucket settings, would look like:

  - step: 
name: "Image Build & Push"
deployment: beta
- ....

And in beta deployment you will set AWS_ACCESS_KEY_ID and secret for push user

I guess this solution is much more cleaner and you could use it in the future for even more cases .

Regards, Galyna

Suggest an answer

Log in or Sign up to answer
Community showcase
Published in Bitbucket

⭐ Calling all Bitbucket and DevOps experts: Special showcase opportunity ⭐

Hi, Bitbucket community! Are you a DevOps practitioner (or know one in your network)? Do you have DevOps tips, tricks, or learnings you'd like to share with the community? If so, we'd love to hea...

1,527 views 4 8
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you