1. Resources
  2. /
  3. Changelog
  4. /
  5. Access control and YAML integration for secrets

Access control and YAML integration for secrets

We are excited to share the latest security and usability improvements we have made to Buildkite secrets, a secure key-value store for managing sensitive data across your pipelines.

Direct integration into YAML steps

While you can still access secrets through the buildkite-agent secret get command, we have now introduced the ability to load secrets directly into your jobs' environment using a new secrets key in your pipeline YAML.

# Loaded into environment for all steps in the build
secrets:
  - API_ACCESS_TOKEN

steps:
  - command: scripts/deploy.sh
    # Loaded into environment for this step only
    secrets:
      - DEPLOY_KEY

  - command: scripts/lint.sh

In order to reference Buildkite secrets via pipeline YAML, buildkite-agent v3.106.0 or later is required.

Policy-based access control

Policies let you restrict secret access within a cluster based on the context of a build - from broad access from an entire cluster to specific conditions like particular pipelines, branches, or users.

For example, to only allow access from main builds from a chosen team on a given pipeline:

- pipeline_slug: "my-pipeline"
  build_branch: "main"
  build_creator_team: "e2b7c3f4-1a5d-4e6b-9c8d-2f3a4b5c6d7e"

For the full list of claims and further examples, see the secrets documentation.

David

Atom feed

Start turning complexity into an advantage

Create an account to get started with a 30-day free trial. No credit card required.

Buildkite Pipelines

Platform

  1. Pipelines
  2. Public pipelines
  3. Test Engine
  4. Package Registries
  5. Mobile Delivery Cloud
  6. Pricing

Hosting options

  1. Self-hosted agents
  2. Mac hosted agents
  3. Linux hosted agents

Resources

  1. Docs
  2. Blog
  3. Changelog
  4. Example pipelines
  5. Plugins
  6. Webinars
  7. Case studies
  8. Events
  9. Migration Services
  10. Comparisons

Company

  1. About
  2. Careers
  3. Press
  4. Security
  5. Brand assets
  6. Contact

Solutions

  1. Replace Jenkins
  2. Workflows for AI/ML
  3. Testing at scale
  4. Monorepo mojo
  5. Bazel orchestration

Legal

  1. Terms of Service
  2. Acceptable Use Policy
  3. Privacy Policy
  4. Subprocessors
  5. Service Level Agreement

Support

  1. System status
  2. Forum
© Buildkite Pty Ltd 2025