CircleCI Ideas

Ability to specify which environment variables are masked by Secret Masking

In some cases environment variables are useful to print out, it would be helpful to be able to whitelist the ones we'd like to show.

  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Nov 6 2019
  • New
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    December 01, 2019 23:36

    Yeah, in some cases the masking has been confusing for our developers. In particular, having an `ENVIRONMENT=test` variable I think is quite common. But every instance of the word "test" is blotted out in our logs, e.g.:

     

    PASS api/__****s__/raters/westchester/serial/mpl/requestQuoteUtils.****.ts (13.295s, 198 MB heap size)

     

    should read

     

    PASS api/__testss__/raters/westchester/serial/mpl/requestQuoteUtils.test.ts (13.295s, 198 MB heap size)

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    December 20, 2019 14:20

    Yeah this is pretty broken. Our company name is masked because it’s also our SENTRY_ORG for some projects. 

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    December 20, 2019 14:21

    This problem is exacerbated by the fact that developers do not control the use of environment variables for Orbs, some of which use them for config instead of secrets. 

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    04 Jan 16:28

    We print out URLs in our logs to heavier deeper logs, such as:

     

    The command failed. For more information, check the Cloudwatch logs:
             https://console.aws.amazon.com/cloudwatch/home?region=*********#logEventViewer:group=/aws/build/cicd;stream=1111-b622-4fcb-af4a-9abe5af3b563/i-01567898788c40fc82/runShell

     

    But none of those URLs work anymore because we made our region an Environment variable.  There are others that print out the ARN of a resource that fails.  They're broken because our AWS account number (which is not really a secret) is a variable too, in case we need to break up products to different accounts.