buildkite-agent redactor
The Buildkite Agent automatically redacts some sensitive information from logs, such as secrets fetched with the secret get
command, and any environment variables that match the value given in the --redacted-vars
flag.
However, sometimes a job will source something sensitive through a side channel - perhaps a third-party secrets storage system like Hashicorp Vault or AWS Secrets Manager. In these cases, you can use the redactor add
command to add the sensitive information to the redactor, ensuring it is redacted from subsequent logs.
Adding a value to the redactor
Usage
buildkite-agent redactor add [options...] [file-with-content-to-redact]
Description
This command may be used to parse a file for values to redact from a
running job's log output. If you dynamically fetch secrets during a job,
it is recommended that you use this command to ensure they will be
redacted from subsequent logs. Secrets fetched with the builtin
secret get
command do not require the use of this command, they will
be redacted automatically.
Examples
To redact the verbatim contents of the file 'id_ed25519' from future logs:
$ buildkite-agent redactor add id_ed25519
To redact the string 'llamasecret' from future logs:
$ echo llamasecret | buildkite-agent redactor add
Pass a flat JSON object whose keys are unique and whose values are your secrets:
$ echo '{"db_password":"secret1","api_token":"secret2","ssh_key":"secret3"}' | buildkite-agent redactor add --format json
Or
$ buildkite-agent redactor add --format json my-secrets.json
JSON does not allow duplicate keys. If you repeat the same key ("key"), the JSON parser keeps only the final entry, so only that single value is added to the redactor:
$ echo '{"key":"value1","key":"value2","key":"value3"}' | buildkite-agent redactor add --format json
Options
--no-color #
|
Don't show colors in logging |
---|---|
--debug #
|
Enable debug mode. Synonym for `--log-level debug`. Takes precedence over `--log-level` |
--log-level value #
|
Set the log level for the agent, making logging more or less verbose. Defaults to notice. Allowed values are: debug, info, error, warn, fatal (default: "notice") |
--experiment value #
|
Enable experimental features within the buildkite-agent |
--profile value #
|
Enable a profiling mode, either cpu, memory, mutex or block |
--agent-access-token value #
|
The access token used to identify the agent |
--endpoint value #
|
The Agent API endpoint (default: " |
--no-http2 #
|
Disable HTTP2 when communicating with the Agent API. |
--debug-http #
|
Enable HTTP debug mode, which dumps all request and response bodies to the log |
--trace-http #
|
Enable HTTP trace mode, which logs timings for each HTTP request. Timings are logged at the debug level unless a request fails at the network level in which case they are logged at the error level |
--format value #
|
The format for the input, whose value is either `json` or `none`. `none` adds the entire input's content to the redactor, with the exception of leading and trailing space. `json` parses the input's content as a JSON object, where each value of each key is added to the redactor. (default: "none") |