Access control and YAML integration for secrets
We are excited to share the latest security and usability improvements we have made to Buildkite secrets, a secure key-value store for managing sensitive data across your pipelines.
Direct integration into YAML steps
While you can still access secrets through the buildkite-agent secret get
command, we have now introduced the ability to load secrets directly into your jobs' environment using a new secrets
key in your pipeline YAML.
# Loaded into environment for all steps in the build
secrets:
- API_ACCESS_TOKEN
steps:
- command: scripts/deploy.sh
# Loaded into environment for this step only
secrets:
- DEPLOY_KEY
- command: scripts/lint.sh
In order to reference Buildkite secrets via pipeline YAML, buildkite-agent
v3.106.0 or later is required.
Policy-based access control
Policies let you restrict secret access within a cluster based on the context of a build - from broad access from an entire cluster to specific conditions like particular pipelines, branches, or users.
For example, to only allow access from main
builds from a chosen team on a given pipeline:
- pipeline_slug: "my-pipeline"
build_branch: "main"
build_creator_team: "e2b7c3f4-1a5d-4e6b-9c8d-2f3a4b5c6d7e"
For the full list of claims and further examples, see the secrets documentation.
David
Start turning complexity into an advantage
Create an account to get started with a 30-day free trial. No credit card required.

