Ability to specify which environment variables are masked by Secret Masking

In some cases environment variables are useful to print out, it would be helpful to be able to whitelist the ones we'd like to show.

  • Guest
  • Nov 6 2019
  • New
  • Attach files
  • James Edwards commented
    06 Feb 21:18

    Are only environment variables masked, or does CircleCI have any additional pattern-based masking?  If so I'd like a way to surround output I don't want to be masked with some kind of escape sequence.

  • Ryan Shillington commented
    04 Jan 16:28

    We print out URLs in our logs to heavier deeper logs, such as:


    The command failed. For more information, check the Cloudwatch logs:


    But none of those URLs work anymore because we made our region an Environment variable.  There are others that print out the ARN of a resource that fails.  They're broken because our AWS account number (which is not really a secret) is a variable too, in case we need to break up products to different accounts.

  • Guest commented
    December 20, 2019 14:21

    This problem is exacerbated by the fact that developers do not control the use of environment variables for Orbs, some of which use them for config instead of secrets. 

  • Guest commented
    December 20, 2019 14:20

    Yeah this is pretty broken. Our company name is masked because it’s also our SENTRY_ORG for some projects. 

  • Erik Pukinskis commented
    December 01, 2019 23:36

    Yeah, in some cases the masking has been confusing for our developers. In particular, having an `ENVIRONMENT=test` variable I think is quite common. But every instance of the word "test" is blotted out in our logs, e.g.:


    PASS api/__****s__/raters/westchester/serial/mpl/requestQuoteUtils.****.ts (13.295s, 198 MB heap size)


    should read


    PASS api/__testss__/raters/westchester/serial/mpl/requestQuoteUtils.test.ts (13.295s, 198 MB heap size)