buildkite-agent redactor

The Buildkite Agent automatically redacts some sensitive information from logs, such as secrets fetched with the secret get command, and any environment variables that match the value given in the --redacted-vars flag.

However, sometimes a job will source something sensitive through a side channel - perhaps a third-party secrets storage system like Hashicorp Vault or AWS Secrets Manager. In these cases, you can use the redactor add command to add the sensitive information to the redactor, ensuring it is redacted from subsequent logs.

Adding a value to the redactor

Usage

buildkite-agent redactor add [options...] [file-with-content-to-redact]

Description

This command may be used to parse a file for values to redact from a running job's log output. If you dynamically fetch secrets during a job, it is recommended that you use this command to ensure they will be redacted from subsequent logs. Secrets fetched with the builtin secret get command do not require the use of this command, they will be redacted automatically.

Examples

To redact the verbatim contents of the file 'id_ed25519' from future logs:

$ buildkite-agent redactor add id_ed25519

To redact the string 'llamasecret' from future logs:

$ echo llamasecret | buildkite-agent redactor add

Pass a flat JSON object whose keys are unique and whose values are your secrets:

$ echo '{"db_password":"secret1","api_token":"secret2","ssh_key":"secret3"}' | buildkite-agent redactor add --format json

Or

$ buildkite-agent redactor add --format json my-secrets.json

JSON does not allow duplicate keys. If you repeat the same key ("key"), the JSON parser keeps only the final entry, so only that single value is added to the redactor:

$ echo '{"key":"value1","key":"value2","key":"value3"}' | buildkite-agent redactor add --format json

Options

--no-color #

Don't show colors in logging
Environment variable: $BUILDKITE_AGENT_NO_COLOR

--debug #

Enable debug mode. Synonym for `--log-level debug`. Takes precedence over `--log-level`
Environment variable: $BUILDKITE_AGENT_DEBUG

--log-level value #

Set the log level for the agent, making logging more or less verbose. Defaults to notice. Allowed values are: debug, info, error, warn, fatal (default: "notice")
Environment variable: $BUILDKITE_AGENT_LOG_LEVEL

--experiment value #

Enable experimental features within the buildkite-agent
Environment variable: $BUILDKITE_AGENT_EXPERIMENT

--profile value #

Enable a profiling mode, either cpu, memory, mutex or block
Environment variable: $BUILDKITE_AGENT_PROFILE

--agent-access-token value #

The access token used to identify the agent
Environment variable: $BUILDKITE_AGENT_ACCESS_TOKEN

--endpoint value #

The Agent API endpoint (default: "https://agent.buildkite.com/v3")
Environment variable: $BUILDKITE_AGENT_ENDPOINT

--no-http2 #

Disable HTTP2 when communicating with the Agent API.
Environment variable: $BUILDKITE_NO_HTTP2

--debug-http #

Enable HTTP debug mode, which dumps all request and response bodies to the log
Environment variable: $BUILDKITE_AGENT_DEBUG_HTTP

--trace-http #

Enable HTTP trace mode, which logs timings for each HTTP request. Timings are logged at the debug level unless a request fails at the network level in which case they are logged at the error level
Environment variable: $BUILDKITE_AGENT_TRACE_HTTP

--format value #

The format for the input, whose value is either `json` or `none`. `none` adds the entire input's content to the redactor, with the exception of leading and trailing space. `json` parses the input's content as a JSON object, where each value of each key is added to the redactor. (default: "none")
Environment variable: $BUILDKITE_AGENT_REDACT_ADD_FORMAT