Access control and YAML integration for secrets

We are excited to share the latest security and usability improvements we have made to Buildkite secrets, a secure key-value store for managing sensitive data across your pipelines.

Direct integration into YAML steps

While you can still access secrets through the buildkite-agent secret get command, we have now introduced the ability to load secrets directly into your jobs' environment using a new secrets key in your pipeline YAML.

# Loaded into environment for all steps in the build
secrets:
  - API_ACCESS_TOKEN

steps:
  - command: scripts/deploy.sh
    # Loaded into environment for this step only
    secrets:
      - DEPLOY_KEY

  - command: scripts/lint.sh

In order to reference Buildkite secrets via pipeline YAML, buildkite-agent v3.106.0 or later is required.

Policy-based access control

Policies let you restrict secret access within a cluster based on the context of a build - from broad access from an entire cluster to specific conditions like particular pipelines, branches, or users.

For example, to only allow access from main builds from a chosen team on a given pipeline:

- pipeline_slug: "my-pipeline"
  build_branch: "main"
  build_creator_team: "e2b7c3f4-1a5d-4e6b-9c8d-2f3a4b5c6d7e"

For the full list of claims and further examples, see the secrets documentation.