Update on setting redacted-vars in the agent config #2342
Conversation
github-actions
bot
added
the
pipelines
|
Preview URL: https://2342--bk-docs-preview.netlify.app |
| @@ -134,7 +134,7 @@ To further tighten the security in a Buildkite organization, you can use the [AP | |||
|
|
|||
| The Buildkite agent can redact the values of environment variables whose names match common patterns for passwords, and other secure information, before the build log is uploaded to Buildkite. | |||
|
|
|||
| The default environment variable name patterns are `*_PASSWORD`, `*_SECRET`, `*_TOKEN`, `*_ACCESS_KEY`, and `*_SECRET_KEY`. You can replace the default patterns by [setting redacted-vars](/docs/agent/v3/configuration#redacted-vars) **on your agent**. | |||
| The default environment variable name patterns are `*_PASSWORD`, `*_SECRET`, `*_TOKEN`, `*_ACCESS_KEY`, and `*_SECRET_KEY`. You can append additional patterns, or replace the default patterns entirely by [setting redacted-vars](/docs/agent/v3/configuration#redacted-vars) **on your agent**. | |||
There was a problem hiding this comment.
This is a great clarification, and I think including the example you used in the PR description will help the explanation even further. But it doesn't naturally fit in after this sentence so I ended up rearranging the section a bit:
Agents can redact the values of environment variables whose names match common patterns for passwords and other secure information before the build log is uploaded to Buildkite.
The default environment variable name patterns are:
- `*_PASSWORD`
- `*_SECRET`
- `*_TOKEN`
- `*_ACCESS_KEY`
- `*_SECRET_KEY`
With these defaults, if you have an environment variable `MY_SECRET="topsecret"` and run a command that outputs `This is topsecret info`, the log output will be `This is [REDACTED] info`.
You can append additional patterns or replace the default patterns entirely by [setting redacted-vars](/docs/agent/v3/configuration#redacted-vars) on your agent. For example, if you wanted to redact the value of `FOO` in your log output and keep the existing default patterns, the configuration setting should look like the following:
```sh
redacted-vars="*_PASSWORD, *_SECRET, *_TOKEN, *_ACCESS_KEY, *_SECRET_KEY, *_SOME_VALUE, FOO"
```What do you think?
There was a problem hiding this comment.
@mbelton-buildkite yes, love that suggestion! I left things a bit open ended because as you said, it didn't quite read the way I wanted it to 😅
There was a problem hiding this comment.
Awesome! Let me know if you need any help making that update 😊
There was a problem hiding this comment.
@mbelton-buildkite added the suggested updates, hopefully it makes sense (I just did a cut and replace, as I like your suggestion's wording 😄 )
|
I'll merge it @mbelton-buildkite because Jeremy is on Leave :) |
Adding additional patterns to the redacted-vars setting in the agent config, will require appending new patterns to the existing defaults. For example, if you wanted to redact the value of
FOOin your log output, and keep the existing default patterns, the config setting should look like:redacted-vars="*_PASSWORD, *_SECRET, *_TOKEN, *_ACCESS_KEY, *_SECRET_KEY, *_SOME_VALUE, FOO"