buildkite-agent redactor

The Buildkite Agent automatically redacts some sensitive information from logs, such as secrets fetched with the secret get command, and any environment variables that match the value given in the --redacted-vars flag.

However, sometimes a job will source something sensitive through a side channel - perhaps a third-party secrets storage system like Hashicorp Vault or AWS Secrets Manager. In these cases, you can use the redactor add command to add the sensitive information to the redactor, ensuring it is redacted from subsequent logs.

Adding a value to the redactor

Usage

buildkite-agent redactor add [options...] [file-with-content-to-redact]

Description

This command may be used to parse a file for values to redact from a running job's log output. If you dynamically fetch secrets during a job, it is recommended that you use this command to ensure they will be redacted from subsequent logs. Secrets fetched with the builtin secret get command do not require the use of this command, they will be redacted automatically.

Example

To redact the verbatim contents of the file 'id_ed25519' from future logs:

$ buildkite-agent redactor add id_ed25519

To redact the string 'llamasecret' from future logs:

$ echo llamasecret | buildkite-agent redactor add

To redact multiple secrets from future logs in one command, create a flat JSON object file (for example, 'my-secrets.json'), with multiple "key" values, one for each secret:

$ echo '{"key":"secret1","key":"secret2"}' | buildkite-agent redactor add --format json

$ buildkite-agent redactor add --format json my-secrets.json

Options

`--format value` #	The format for the input, whose value is either `json` or `none`. `none` adds the entire input's content to the redactor, with the exception of leading and trailing space. `json` parses the input's content as a JSON object, where each value of each key is added to the redactor. (default: "none") Environment variable: `$BUILDKITE_AGENT_REDACT_ADD_FORMAT`
`--agent-access-token value` #	The access token used to identify the agent Environment variable: `$BUILDKITE_AGENT_ACCESS_TOKEN`
`--endpoint value` #	The Agent API endpoint (default: "`https://agent.buildkite.com/v3`") Environment variable: `$BUILDKITE_AGENT_ENDPOINT`
`--no-http2` #	Disable HTTP2 when communicating with the Agent API. Environment variable: `$BUILDKITE_NO_HTTP2`
`--debug-http` #	Enable HTTP debug mode, which dumps all request and response bodies to the log Environment variable: `$BUILDKITE_AGENT_DEBUG_HTTP`
`--no-color` #	Don't show colors in logging Environment variable: `$BUILDKITE_AGENT_NO_COLOR`
`--debug` #	Enable debug mode. Synonym for `--log-level debug`. Takes precedence over `--log-level` Environment variable: `$BUILDKITE_AGENT_DEBUG`
`--log-level value` #	Set the log level for the agent, making logging more or less verbose. Defaults to notice. Allowed values are: debug, info, error, warn, fatal (default: "notice") Environment variable: `$BUILDKITE_AGENT_LOG_LEVEL`
`--experiment value` #	Enable experimental features within the buildkite-agent Environment variable: `$BUILDKITE_AGENT_EXPERIMENT`
`--profile value` #	Enable a profiling mode, either cpu, memory, mutex or block Environment variable: `$BUILDKITE_AGENT_PROFILE`