Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update on setting redacted-vars in the agent config #2342

Merged
merged 2 commits into from
Aug 17, 2023
Merged

Update on setting redacted-vars in the agent config #2342

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2a77e54
Update on setting redacted-vars in the agent config
jeremybumsted Jul 31, 2023
fc5a6d9
add suggestions from review
jeremybumsted Aug 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pages/pipelines/managing_log_output.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ To further tighten the security in a Buildkite organization, you can use the [AP

The Buildkite agent can redact the values of environment variables whose names match common patterns for passwords, and other secure information, before the build log is uploaded to Buildkite.

The default environment variable name patterns are `*_PASSWORD`, `*_SECRET`, `*_TOKEN`, `*_ACCESS_KEY`, and `*_SECRET_KEY`. You can replace the default patterns by [setting redacted-vars](/docs/agent/v3/configuration#redacted-vars) **on your agent**.
The default environment variable name patterns are `*_PASSWORD`, `*_SECRET`, `*_TOKEN`, `*_ACCESS_KEY`, and `*_SECRET_KEY`. You can append additional patterns, or replace the default patterns entirely by [setting redacted-vars](/docs/agent/v3/configuration#redacted-vars) **on your agent**.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great clarification, and I think including the example you used in the PR description will help the explanation even further. But it doesn't naturally fit in after this sentence so I ended up rearranging the section a bit:

Agents can redact the values of environment variables whose names match common patterns for passwords and other secure information before the build log is uploaded to Buildkite.

The default environment variable name patterns are:

- `*_PASSWORD`
- `*_SECRET`
- `*_TOKEN`
- `*_ACCESS_KEY`
- `*_SECRET_KEY`

With these defaults, if you have an environment variable `MY_SECRET="topsecret"` and run a command that outputs `This is topsecret info`, the log output will be `This is [REDACTED] info`.

You can append additional patterns or replace the default patterns entirely by [setting redacted-vars](/docs/agent/v3/configuration#redacted-vars) on your agent. For example, if you wanted to redact the value of `FOO` in your log output and keep the existing default patterns, the configuration setting should look like the following:

```sh
redacted-vars="*_PASSWORD, *_SECRET, *_TOKEN, *_ACCESS_KEY, *_SECRET_KEY, *_SOME_VALUE, FOO"
```

What do you think?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mbelton-buildkite yes, love that suggestion! I left things a bit open ended because as you said, it didn't quite read the way I wanted it to 😅

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome! Let me know if you need any help making that update 😊

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mbelton-buildkite added the suggested updates, hopefully it makes sense (I just did a cut and replace, as I like your suggestion's wording 😄 )


For example, if you have environment variable `MY_SECRET="topsecret"`and you run a command that outputs `This is topsecret info`, the log output will actually be `This is [REDACTED] info`.

Expand Down