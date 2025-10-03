  1. Resources
  5. Access control and YAML integration for secrets

Access control and YAML integration for secrets

We are excited to share the latest security and usability improvements we have made to Buildkite secrets, a secure key-value store for managing sensitive data across your pipelines.

Direct integration into YAML steps

While you can still access secrets through the buildkite-agent secret get command, we have now introduced the ability to load secrets directly into your jobs' environment using a new secrets key in your pipeline YAML.

# Loaded into environment for all steps in the build
secrets:
  - API_ACCESS_TOKEN

steps:
  - command: scripts/deploy.sh
    # Loaded into environment for this step only
    secrets:
      - DEPLOY_KEY

  - command: scripts/lint.sh

In order to reference Buildkite secrets via pipeline YAML, buildkite-agent v3.106.0 or later is required.

Policy-based access control

Policies let you restrict secret access within a cluster based on the context of a build - from broad access from an entire cluster to specific conditions like particular pipelines, branches, or users.

For example, to only allow access from main builds from a chosen team on a given pipeline:

- pipeline_slug: "my-pipeline"
  build_branch: "main"
  build_creator_team: "e2b7c3f4-1a5d-4e6b-9c8d-2f3a4b5c6d7e"

For the full list of claims and further examples, see the secrets documentation.

