buildkite-agent secret

The buildkite-agent secret get command allows you to query and retrieve secrets from Buildkite secrets. This command is useful for fetching secrets that are required by your build scripts, without having to configure third-party secret management systems.

Getting a secret

Usage

buildkite-agent secret get [options...] [key1] [key2] ...

Description

Gets a list of secrets from Buildkite and prints them to stdout. Key names are case insensitive in this command, and secret values are automatically redacted in the build logs unless the skip-redaction flag is used.

If any request for a secret fails, the command will return a non-zero exit code and print details of all failed secrets.

By default, when fetching a single key, the secret value will be printed without any formatting. When fetching multiple keys, the output will be in JSON format. Output format can be controlled explicitly with the format flag.

Examples

# Secret keys are case insensitive
$ buildkite-agent secret get deploy_key
"..."
$ buildkite-agent secret get DEPLOY_KEY
"..."

# The return value can also be formatted using env (which can be piped
# into e.g. `source`, `declare -x`), or json
$ buildkite-agent secret get --format env deploy_key github_api_token
DEPLOY_KEY="..."
GITHUB_API_TOKEN="..."

$ buildkite-agent secret get --format json deploy_key github_api_token
{"deploy_key": "...", "github_api_token": "..."}

Options

`--no-color` #	Don't show colors in logging Environment variable: `$BUILDKITE_AGENT_NO_COLOR`
`--debug` #	Enable debug mode. Synonym for `--log-level debug`. Takes precedence over `--log-level` Environment variable: `$BUILDKITE_AGENT_DEBUG`
`--log-level value` #	Set the log level for the agent, making logging more or less verbose. Defaults to notice. Allowed values are: debug, info, error, warn, fatal (default: "notice") Environment variable: `$BUILDKITE_AGENT_LOG_LEVEL`
`--experiment value` #	Enable experimental features within the buildkite-agent Environment variable: `$BUILDKITE_AGENT_EXPERIMENT`
`--profile value` #	Enable a profiling mode, either cpu, memory, mutex or block Environment variable: `$BUILDKITE_AGENT_PROFILE`
`--agent-access-token value` #	The access token used to identify the agent Environment variable: `$BUILDKITE_AGENT_ACCESS_TOKEN`
`--endpoint value` #	The Agent API endpoint (default: "`https://agent.buildkite.com/v3`") Environment variable: `$BUILDKITE_AGENT_ENDPOINT`
`--no-http2` #	Disable HTTP2 when communicating with the Agent API. Environment variable: `$BUILDKITE_NO_HTTP2`
`--debug-http` #	Enable HTTP debug mode, which dumps all request and response bodies to the log Environment variable: `$BUILDKITE_AGENT_DEBUG_HTTP`
`--trace-http` #	Enable HTTP trace mode, which logs timings for each HTTP request. Timings are logged at the debug level unless a request fails at the network level in which case they are logged at the error level Environment variable: `$BUILDKITE_AGENT_TRACE_HTTP`
`--job value` #	Which job should should the secret be for Environment variable: `$BUILDKITE_JOB_ID`
`--format value` #	The output format, either 'default', 'json', or 'env'. When 'default', a single secret will print just the value, while multiple secrets will print JSON. When 'json' or 'env', secrets will be printed as key-value pairs in the requested format (default: "default") Environment variable: `$BUILDKITE_AGENT_SECRET_GET_FORMAT`
`--skip-redaction` #	Skip redacting the retrieved secret from the logs. Then, the command will print the secret to the Job's logs if called directly. Environment variable: `$BUILDKITE_AGENT_SECRET_GET_SKIP_SECRET_REDACTION`