Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Cannot retrieve OIDC token using bitbucket pipeline

Naveen Gabriel
Naveen Gabriel June 29, 2025

I was trying to connect bitbucket pipeline with GCP vm instance and could not do it. 

On series of debugging when I tried accessing the token using simple pipeline and still couldn't find out why token is not populated

Below is my simple pipeline : 

```

pipelines:
  default:
    - step:
        oidc: true
        script:
            - echo "This step will generate an OIDC token"
            - echo $BITBUCKET_STEP_OIDC_TOKEN # Access the token

```

 

Attaching the output from the pipeline 

pipeline_output.png

Does anyone know why token is not show ? What can be done to access this token ?

Answer
Watch
Like Be the first to like this
84 views

1 answer

0 votes
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 1, 2025

Hi Naveen,

The token is stored as a secured variable, which is why its value will not show in the build log. If a value matching a secured variable appears in the logs, Pipelines will replace it with $VARIABLE_NAME.

If you want to retrieve the variable's value, you can first store it in a file by adding a command in your yml file like this:

- echo $BITBUCKET_STEP_OIDC_TOKEN > oidc_token.txt

Then, one option is to upload this file to a server of yours. You'll need to add a command in your yml file to do that; the command depends on what the server supports e.g. ftp, or curl with an API, scp (you'd need to set up SSH access for scp https://support.atlassian.com/bitbucket-cloud/docs/using-ssh-keys-in-bitbucket-pipelines/).

Another option would be to define that file as an artifact in your yml file, then you should be able to download it from the Artifacts tab of the Pipelines build:

While this is easier to set up, please be mindful that artifacts can be downloaded by every user with read access to the repository.

Please feel free to reach out if you have any questions.

Kind regards,
Theodora

View More Comments
Naveen Gabriel
Naveen Gabriel July 3, 2025

@Theodora Boudale  Thanks for clarifying.

No..i don't want to retrieve the token but to use the token to connect with GCP VM instance for deployment. This connection was not happening so I was wondering if token is being generated. Following was the pipeline :

branches:
dev:
- step:
  name: Connect to GCP VM via OIDC
  image: google/cloud-sdk:slim
  oidc: true
  script:
   # 1. Write OIDC config to file
   - echo "[INFO] Writing OIDC config to file"
   - echo "$GOOGLE_OIDC_CONFIG_FILE" > gcp-wif-config.json
   - cat gcp-wif-config.json

   - echo "--- Full Environment Variables ---"
   - env # This will print all environment variables
   - echo "--- Filtering for OIDC Token ---"
   - env | grep BITBUCKET_STEP_OIDC_TOKEN
   - echo "--- End Environment Check ---"


   # 2. Write OIDC token to file
   - echo "$BITBUCKET_STEP_OIDC_TOKEN"
   - echo $BITBUCKET_STEP_OIDC_TOKEN
   - echo "$BITBUCKET_STEP_OIDC_TOKEN" > bitbucket-oidc-token.txt
   - cat bitbucket-oidc-token.txt

   # 3. Authenticate with gcloud using OIDC config
   - echo "[INFO] Authenticating using gcp-wif-config.json"
   - gcloud auth login --cred-file=gcp-wif-config.json
   - gcloud config set project "$GCP_PROJECT_ID"
   - gcloud auth list

   # 4. SSH into the instance and print hostname
   - echo "[INFO] Connecting to VM via gcloud compute ssh"
   - gcloud compute ssh "$GCP_INSTANCE_NAME" --zone="$GCP_ZONE" --command="echo 'Connected to VM:' && hostname"

 

Can you please  verify this pipeline once.

 

Best Regards
Naveen gabriel

 

 

Like
Theodora Boudale
Theodora Boudale
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 4, 2025

Hi,

Thank you for your answer. I thought you wanted to see the value of the token as part of your debugging, I'm sorry I misunderstood that.

I haven't worked with connections to GCP via OIDC, so I'm afraid I cannot offer much help here. Since your workspace is on a paid billing plan, I recommend creating a ticket with the support team and sharing the URL of the failed build. Then, one of my colleagues can look into it and provide advice. A support ticket you create can be accessed only by you, Atlassian staff, and any other users you may add as participants, so anything you share there won't be publicly visible.

You can create a ticket via https://support.atlassian.com/contact/#/, in "What can we help you with?" select "Technical issues and bugs" and then Bitbucket Cloud as product. When you are asked to provide the workspace URL, please make sure you enter the URL of the workspace that is on a paid billing plan to proceed with ticket creation. You can provide the link of the failed Pipelines build in the field "Give us more details".

Kind regards,
Theodora

Like
Reply

Suggest an answer

Log in or Sign up to answer
Atlassian logo
Pipelines
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security